Thank you for your contribution to Debian. Mapping oldstable-security to oldstable-proposed-updates.
Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 09 Feb 2026 11:26:12 +0100 Source: netty Architecture: source Version: 1:4.1.48-7+deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: Debian Java Maintainers <[email protected]> Changed-By: Bastien Roucariès <[email protected]> Closes: 1068110 1111105 1113994 1118282 1123606 Changes: netty (1:4.1.48-7+deb12u2) bookworm-security; urgency=medium . * Team upload * Fix CVE-2024-29025 (Closes: #1068110) The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits * Fix CVE-2025-55163 (Closes: #1111105) Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit, which results in resource exhaustion and distributed denial of service. * Fix CVE-2025-58056 (Closes: #1113994) when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. * Fix CVE-2025-58057: When supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. (Closes: #1113994) * Fix CVE-2025-59419 (Closes: #1118282) SMTP Command Injection Vulnerability Allowing Email Forgery An SMTP Command Injection (CRLF Injection) vulnerability in Netty's SMTP codec allows a remote attacker who can control SMTP command parameters (e.g., an email recipient) to forge arbitrary emails from the trusted server. This bypasses standard email authentication and can be used to impersonate executives and forge high-stakes corporate communications. * Fix CVE-2025-67735 (Closes: #1123606) `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection Checksums-Sha1: 8dc28660bbb025c2f06bf5c94e3c56c5eaf269d0 2449 netty_4.1.48-7+deb12u2.dsc 022ad0c0c76dd4ba14b1e44d11cf0b99f0feeb2b 1665244 netty_4.1.48.orig.tar.xz fe8e785301d51793f2b3adb3abb956267e431e85 57888 netty_4.1.48-7+deb12u2.debian.tar.xz c710858538ca0eef0a9e48dd4ea4e5266855e944 14567 netty_4.1.48-7+deb12u2_source.buildinfo Checksums-Sha256: 06bee0b9ef847f6d21380229e15a85b9f8a4e8cb89e8f889e04f90eed9e69da7 2449 netty_4.1.48-7+deb12u2.dsc e5351d821f461f64af58e89f260ad8943b0ab75f26c1a845300a91f22a711600 1665244 netty_4.1.48.orig.tar.xz 4acfbf9a2e2d51e8e4c21c7532b65dccc6db3ab561a40049d56219f89f09fc1a 57888 netty_4.1.48-7+deb12u2.debian.tar.xz 4f9747a0ade9564c7bb5674164b99be5dd168fafaf62846f7d1121905eb8cc35 14567 netty_4.1.48-7+deb12u2_source.buildinfo Files: 9a2f2b0d9f543361690c0748ec506bb5 2449 java optional netty_4.1.48-7+deb12u2.dsc ebc25581b3e2b6e1bb47200ba260a636 1665244 java optional netty_4.1.48.orig.tar.xz fba157d4962aed3268edfe3eb569872d 57888 java optional netty_4.1.48-7+deb12u2.debian.tar.xz feb8a5c16bd368957ec3fe20b53cd4e2 14567 java optional netty_4.1.48-7+deb12u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmme+b4ACgkQADoaLapB CF9iIw/+LARGbP0mgPSXoTReCjmNF3lzwP4VEO86Vig5G11MxDeC8z08aopZ0yT+ qhZy1D2aVa6OqAfq0pVf7eOqN/OiD8PNbe619aSP2GmneoUDtqcya1BGeqBSLAMY ea3u3PT1zmhKubYAF/wcdU8zr/4UwAoLrRU2EwAUsLVcU3D3gasUr18vlfxi9G1p t6IK3zePfoRS/40i1wd+u+/QVVKnXDtAEAW70Mk20v7ro29t/iKWSlze5Sd6+Vxh tTcISvFnaXglx1ERY+E40XUrFOy5h/yMF1vqJOOXkjLAdsnMQV8BjduwH6wTQLzK /u7JQalMqLid+E/qFqaStH7105PQ3z4LTBIiv7SQJWu08E+N5TZaXJ/B0pCXTaAp QjXuzbrkZVsKQN5jM9TTtG1e/BqQF8c6KXy8ostKqiljg+DioPzSknTPXOyPyg6R 3PO3A/0zvIk9rN09Z3qm4d93z6+1ABPdsHBM6eMHH+JJHubx2OjAPvg4DpHX8H75 Ol59m+N2KdvUToWf0yZ/3mNDnxq+7H3SYPe1syHKqpUfMcJYqoQf3j31yGZLmbh1 epmB7FzRzqjjcwW6f518/z1rz2ScX5QB64wa+BVxZyCkyi1mj/b0jjCVZC9swAZg U4z1BTO0I169Xde1LuU10Bs0Gh2LU54EWiqoEKUUjiQrZeVNdbM= =L48a -----END PGP SIGNATURE-----
pgpJJ5JGzaQOB.pgp
Description: PGP signature
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
