Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package netty for openSUSE:Factory checked in at 2026-06-15 19:46:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/netty (Old) and /work/SRC/openSUSE:Factory/.netty.new.1981 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "netty" Mon Jun 15 19:46:48 2026 rev:15 rq:1359483 version:4.1.135 Changes: -------- --- /work/SRC/openSUSE:Factory/netty/netty.changes 2026-05-15 23:54:51.844452902 +0200 +++ /work/SRC/openSUSE:Factory/.netty.new.1981/netty.changes 2026-06-15 19:50:34.389354280 +0200 @@ -1,0 +2,100 @@ +Fri Jun 12 09:03:33 UTC 2026 - Fridrich Strba <[email protected]> + +- Upgrade to upstream version 4.1.135 + * Security fixes: + + CVE-2026-48059, bsc#1268258: memory exhaustion in + io.netty:netty-codec-haproxy + + CVE-2026-47691, bsc#1268252: DNS cache poisoning in + io.netty:netty-resolver-dns + + CVE-2026-50560, bsc#1268262: DDoS in + io.netty:netty-codec-http2 + + CVE-2026-50011, bsc#1268260: memory exhaustion in + io.netty:netty-codec-redis + + CVE-2026-44250, bsc#1268169: memory exhaustion in + io.netty:netty-codec-redis + + CVE-2026-44890, bsc#1268170: memory exhaustion in + io.netty:netty-codec-redis + + CVE-2026-44249, bsc#1268165: IPv6 subnet filter bypass in + io.netty:netty-handler + + CVE-2026-50020, bsc#1268261: request smuggling in + io.netty:netty-codec-http + + CVE-2026-44893, bsc#1268244: memory leak in + io.netty:netty-codec-haproxy + + CVE-2026-50010, bsc#1268259: TLS hostname verification + accidentally disabled in io.netty:netty-handler + + CVE-2026-45673, bsc#1268248: DNS cache poisoning in + io.netty:netty-resolver-dns + + CVE-2026-45416, bsc#1268246: excessive memory usage from + SNIHandler in io.netty:netty-handler + + CVE-2026-45536, bsc#1268247: file descriptor leak in + io.netty:netty-transport-native-epoll and + io.netty:netty-transport-native-kqueue + + CVE-2026-45674, bsc#1268249: DNS cache poisoning in + io.netty:netty-resolver-dns + + CVE-2026-46340, bsc#1268250: memory exhaustion in + io.netty:netty-transport-sctp + + CVE-2026-47244, bsc#1268251: denial of service in + io.netty:netty-codec-http2 + + CVE-2026-48006, bsc#1268255: memory exhaustion in + io.netty:netty-codec-redis + + CVE-2026-48043, bsc#1268257: memory exhaustion in + io.netty:netty-codec-http2 + * Other significant changes: + + MQTT: Allow MQTT 5 CONNECT with password only + + ChannelInitializer: correct misleading comment on + exceptionCaught route + + HTTP/2: Parse request-target path like Vert.x (4.1 backport) + + HttpObjectDecoder skips arbitrary initial control characters + when only initial CRLF characters are permitted + + IpSubnetFilter: Correctly handle ipv6 + + Configurable bound on RedisArrayAggregator + + Redis: Limit decoded length + + DNS: Ensure query id is not predictible + + Wrapping plain trust manager silently disables hostname + verification + + MQTT: Reject malformed no-payload packets with non-zero + Remaining Length + + HAProxy: Reject HAProxyMessages with malformated TLV and not + leak memory + + SSL: Use sane defaults as limits for the client hello length + and timeout + + DNS: Only cache CNAME if part of the queried domain + + HTTP/2: Enforce max concurrent streams for misbehaving clients + + Dns: Insufficient Bailiwick Validation for NS Records + + HTTP2: DelegatingDecompressorFrameListener must release memory + in all cases + + Pass maxAllocation to Brotli and Zstd decoders + + HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory + + Add maxWindowLog parameter to ZstdDecoder to bound memory + allocation + + HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs + + Epoll / Kqueue: Correctly handle receive of FD + + SCTP: Limit the number of inflight incomplete SCTP messages + and the number of fragments + + Redis: Correctly release incomplete message on removal when + using RedisArrayAggregator + + Redis: Limit the maximum number of nested arrays + + HTTP: Re-add constructor to HttpProxyHandler that was removed + by mistake + + Marshalling: Explicit document security requirements + + Pin HTTP/RTSP version + method normalization to Locale.US + + Adaptive: Fix concurrency issue in adaptive allocator + + Pin multipart Content-Type / Content-Transfer-Encoding case + folding to Locale.US + + Remove dead native declarations + + Avoid re-parsing openssl key material with non-cached provider + + IpFilter: Fix ClassCastException caused by IpSubnetFilter if + only ipv6 rules are configured but remote peer is using ipv4 + + Resolve all localhost addresses without querying DNS servers + + HTTP2: Use 100 as default max concurrent streams setting + + Route synchronous onLookupComplete exceptions via + fireExceptionCaught + + Fix MQTT decoder size check after variable header replay +- Modified patches: + * 0001-Remove-optional-dep-Blockhound.patch + * 0002-Remove-optional-dep-conscrypt.patch + * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch + * 0004-Disable-Brotli-and-ZStd-compression.patch + + rediff + +------------------------------------------------------------------- Old: ---- netty-4.1.133.Final.tar.gz New: ---- netty-4.1.135.Final.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ netty.spec ++++++ --- /var/tmp/diff_new_pack.ANOKZU/_old 2026-06-15 19:50:37.213472708 +0200 +++ /var/tmp/diff_new_pack.ANOKZU/_new 2026-06-15 19:50:37.241473882 +0200 @@ -19,7 +19,7 @@ %global namedreltag .Final %global namedversion %{version}%{?namedreltag} Name: netty -Version: 4.1.133 +Version: 4.1.135 Release: 0 Summary: An asynchronous event-driven network application framework and tools for Java License: Apache-2.0 ++++++ 0001-Remove-optional-dep-Blockhound.patch ++++++ --- /var/tmp/diff_new_pack.ANOKZU/_old 2026-06-15 19:50:37.349478411 +0200 +++ /var/tmp/diff_new_pack.ANOKZU/_new 2026-06-15 19:50:37.357478746 +0200 @@ -1,4 +1,4 @@ -From 28914f7d84e049493c67a4c5f065627b188c23ec Mon Sep 17 00:00:00 2001 +From f3ef38d6857ccd9f1945fe8e92e36a4f18a62dd8 Mon Sep 17 00:00:00 2001 From: Mat Booth <[email protected]> Date: Mon, 7 Sep 2020 12:17:31 +0100 Subject: [PATCH 1/4] Remove optional dep Blockhound @@ -23,7 +23,7 @@ delete mode 100644 transport-blockhound-tests/src/test/resources/io/netty/util/internal/mutual_auth_ca.pem diff --git a/common/pom.xml b/common/pom.xml -index 19419fc648..930c18e029 100644 +index 6e0ea10f51..26e2608b74 100644 --- a/common/pom.xml +++ b/common/pom.xml @@ -89,11 +89,6 @@ @@ -266,10 +266,10 @@ -io.netty.util.internal.Hidden$NettyBlockHoundIntegration \ No newline at end of file diff --git a/pom.xml b/pom.xml -index 8e0191e28c..ab4b5c1afa 100644 +index 91d6fee8fc..650c93e3ae 100644 --- a/pom.xml +++ b/pom.xml -@@ -908,7 +908,6 @@ +@@ -909,7 +909,6 @@ <module>testsuite-native-image</module> <module>testsuite-native-image-client</module> <module>testsuite-native-image-client-runtime-init</module> @@ -277,7 +277,7 @@ <module>microbench</module> <module>bom</module> </modules> -@@ -1331,13 +1330,6 @@ +@@ -1338,13 +1337,6 @@ <version>${log4j2.version}</version> <scope>test</scope> </dependency> @@ -293,7 +293,7 @@ diff --git a/transport-blockhound-tests/pom.xml b/transport-blockhound-tests/pom.xml deleted file mode 100644 -index 8ee4d2585d..0000000000 +index f53dd286c8..0000000000 --- a/transport-blockhound-tests/pom.xml +++ /dev/null @@ -1,228 +0,0 @@ @@ -319,7 +319,7 @@ - <parent> - <groupId>io.netty</groupId> - <artifactId>netty-parent</artifactId> -- <version>4.1.133.Final</version> +- <version>4.1.135.Final</version> - </parent> - - <artifactId>netty-transport-blockhound-tests</artifactId> ++++++ 0002-Remove-optional-dep-conscrypt.patch ++++++ --- /var/tmp/diff_new_pack.ANOKZU/_old 2026-06-15 19:50:37.449482604 +0200 +++ /var/tmp/diff_new_pack.ANOKZU/_new 2026-06-15 19:50:37.489484282 +0200 @@ -1,4 +1,4 @@ -From 2fa94827d28df5fdcee6f4b95d6c407423897ca1 Mon Sep 17 00:00:00 2001 +From 5d077cf5d0da696c0f5dcabe50dcbb01c6bb95d3 Mon Sep 17 00:00:00 2001 From: Mat Booth <[email protected]> Date: Mon, 7 Sep 2020 13:24:30 +0100 Subject: [PATCH 2/4] Remove optional dep conscrypt @@ -15,7 +15,7 @@ delete mode 100644 handler/src/main/java/io/netty/handler/ssl/ConscryptAlpnSslEngine.java diff --git a/handler/pom.xml b/handler/pom.xml -index ab85c94ba4..84309b4220 100644 +index 9b8e6ad834..dd377f5897 100644 --- a/handler/pom.xml +++ b/handler/pom.xml @@ -96,12 +96,6 @@ @@ -434,10 +434,10 @@ SslEngineType(boolean wantsDirectBuffer, Cumulator cumulator) { diff --git a/pom.xml b/pom.xml -index 1861ad1d25..7f4bc213a1 100644 +index 650c93e3ae..c744d999ee 100644 --- a/pom.xml +++ b/pom.xml -@@ -984,16 +984,6 @@ +@@ -988,16 +988,6 @@ <optional>true</optional> </dependency> @@ -455,6 +455,6 @@ <dependency> <groupId>software.amazon.cryptools</groupId> -- -2.53.0 +2.54.0 ++++++ 0003-Remove-optional-deps-jetty-alpn-and-npn.patch ++++++ --- /var/tmp/diff_new_pack.ANOKZU/_old 2026-06-15 19:50:37.537486295 +0200 +++ /var/tmp/diff_new_pack.ANOKZU/_new 2026-06-15 19:50:37.553486965 +0200 @@ -1,4 +1,4 @@ -From 4bcfb83cf14659bf0125cc5dd43578a2b6b20dfb Mon Sep 17 00:00:00 2001 +From df0ce19cad8ac2e55f463d5b3a39acf8643c020f Mon Sep 17 00:00:00 2001 From: Mat Booth <[email protected]> Date: Mon, 7 Sep 2020 13:26:20 +0100 Subject: [PATCH 3/4] Remove optional deps jetty alpn and npn @@ -15,7 +15,7 @@ delete mode 100644 handler/src/main/java/io/netty/handler/ssl/JettyNpnSslEngine.java diff --git a/handler/pom.xml b/handler/pom.xml -index 84309b4220..3df96e9d12 100644 +index dd377f5897..7e69d94c7b 100644 --- a/handler/pom.xml +++ b/handler/pom.xml @@ -86,16 +86,6 @@ @@ -374,10 +374,10 @@ - } -} diff --git a/pom.xml b/pom.xml -index 7f4bc213a1..253be4da8d 100644 +index c744d999ee..355ae52e93 100644 --- a/pom.xml +++ b/pom.xml -@@ -941,20 +941,6 @@ +@@ -945,20 +945,6 @@ <optional>true</optional> </dependency> @@ -399,6 +399,6 @@ <dependency> <groupId>com.google.protobuf</groupId> -- -2.53.0 +2.54.0 ++++++ 0004-Disable-Brotli-and-ZStd-compression.patch ++++++ --- /var/tmp/diff_new_pack.ANOKZU/_old 2026-06-15 19:50:37.629490153 +0200 +++ /var/tmp/diff_new_pack.ANOKZU/_new 2026-06-15 19:50:37.673491998 +0200 @@ -1,4 +1,4 @@ -From 0731b63b314c2e2e103e66b67db90b96fc022d89 Mon Sep 17 00:00:00 2001 +From d77380c8bee1268b43659e0852cdb712c33127ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fridrich=20=C5=A0trba?= <[email protected]> Date: Thu, 30 Mar 2023 13:19:04 +0200 Subject: [PATCH 4/4] Disable Brotli and ZStd compression @@ -190,7 +190,7 @@ * Compression Encoder Factory for create {@link SnappyFrameEncoder} * used to compress http content for snappy content encoding diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/HttpContentDecompressor.java b/codec-http/src/main/java/io/netty/handler/codec/http/HttpContentDecompressor.java -index 44e6195332..475a09ae58 100644 +index f6fde48862..475a09ae58 100644 --- a/codec-http/src/main/java/io/netty/handler/codec/http/HttpContentDecompressor.java +++ b/codec-http/src/main/java/io/netty/handler/codec/http/HttpContentDecompressor.java @@ -15,23 +15,17 @@ @@ -223,7 +223,7 @@ } - if (Brotli.isAvailable() && BR.contentEqualsIgnoreCase(contentEncoding)) { - return new EmbeddedChannel(ctx.channel().id(), ctx.channel().metadata().hasDisconnect(), -- ctx.channel().config(), new BrotliDecoder()); +- ctx.channel().config(), new BrotliDecoder(maxAllocation)); - } - if (SNAPPY.contentEqualsIgnoreCase(contentEncoding)) { @@ -233,7 +233,7 @@ - if (Zstd.isAvailable() && ZSTD.contentEqualsIgnoreCase(contentEncoding)) { - return new EmbeddedChannel(ctx.channel().id(), ctx.channel().metadata().hasDisconnect(), -- ctx.channel().config(), new ZstdDecoder()); +- ctx.channel().config(), new ZstdDecoder(maxAllocation)); - } - // 'identity' or unsupported @@ -333,7 +333,7 @@ return new EmbeddedChannel(ctx.channel().id(), ctx.channel().metadata().hasDisconnect(), ctx.channel().config(), new SnappyFrameEncoder()); diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java -index 5cb6b44afd..5b2f35bea0 100644 +index c14502b94f..26c93460f8 100644 --- a/codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java +++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java @@ -20,24 +20,18 @@ import io.netty.channel.ChannelHandlerContext; ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.ANOKZU/_old 2026-06-15 19:50:37.853499546 +0200 +++ /var/tmp/diff_new_pack.ANOKZU/_new 2026-06-15 19:50:37.893501224 +0200 @@ -1,6 +1,6 @@ -mtime: 1778828762 -commit: e896793d0285e5c512f793a5537e35bffd215a0c24864a445434b1fb6c0036e6 +mtime: 1781514666 +commit: da46f5b7fba646f87b3b547b6b017b62034b3069aeecfa9529a3dc17c10472ed url: https://src.opensuse.org/java-packages/netty -revision: e896793d0285e5c512f793a5537e35bffd215a0c24864a445434b1fb6c0036e6 +revision: da46f5b7fba646f87b3b547b6b017b62034b3069aeecfa9529a3dc17c10472ed projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-06-15 11:11:06.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ netty-4.1.133.Final.tar.gz -> netty-4.1.135.Final.tar.gz ++++++ ++++ 5563 lines of diff (skipped)
