Accepted netty 1:4.1.48-10+deb13u1 (source) into proposed-updates

Debian FTP Masters Sat, 14 Mar 2026 05:51:08 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 09 Feb 2026 11:26:12 +0100
Source: netty
Architecture: source
Version: 1:4.1.48-10+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Java Maintainers 
<[email protected]>
Changed-By: Bastien Roucariès <[email protected]>
Closes: 1111105 1113994 1118282 1123606
Changes:
 netty (1:4.1.48-10+deb13u1) trixie-security; urgency=high
 .
   * Team upload
   * Fix CVE-2025-55163 (Closes: #1111105)
     Netty is vulnerable to MadeYouReset DDoS.
     This is a logical vulnerability in the HTTP/2 protocol,
     that uses malformed HTTP/2 control frames in order to break
     the max concurrent streams limit, which results in resource
     exhaustion and distributed denial of service.
   * Fix CVE-2025-58056 (Closes: #1113994)
     when supplied with specially crafted input, BrotliDecoder and
     certain other decompression decoders will allocate a large
     number of reachable byte buffers, which can lead to
     denial of service. BrotliDecoder.decompress has
     no limit in how often it calls pull, decompressing
     data 64K bytes at a time. The buffers are saved in
     the output list, and remain reachable until OOM is hit.
   * Fix CVE-2025-58057:
     When supplied with specially crafted input, BrotliDecoder
     and certain other decompression decoders will allocate
     a large number of reachable byte buffers, which can lead
     to denial of service. BrotliDecoder.decompress has no limit
     in how often it calls pull, decompressing data 64K bytes at
     a time. The buffers are saved in the output list, and remain
     reachable until OOM is hit.
     (Closes: #1113994)
   * Fix CVE-2025-59419 (Closes: #1118282)
     SMTP Command Injection Vulnerability Allowing Email Forgery
     An SMTP Command Injection (CRLF Injection) vulnerability
     in Netty's SMTP codec allows a remote attacker who can control
     SMTP command parameters (e.g., an email recipient)
     to forge arbitrary emails from the trusted server.
     This bypasses standard email authentication and can
     be used to impersonate executives and forge high-stakes
     corporate communications.
   * Fix CVE-2025-67735 (Closes: #1123606)
     `io.netty.handler.codec.http.HttpRequestEncoder`
     has a CRLF injection with the request URI when constructing
     a request. This leads to request smuggling when
     `HttpRequestEncoder` is used without proper sanitization
     of the URI. Any application / framework using `HttpRequestEncoder`
     can be subject to be abused to perform request smuggling using
     CRLF injection
Checksums-Sha1:
 2d598f6ddf79b58ff4b176f5ae9f7d77854c7ddc 2551 netty_4.1.48-10+deb13u1.dsc
 022ad0c0c76dd4ba14b1e44d11cf0b99f0feeb2b 1665244 netty_4.1.48.orig.tar.xz
 182fb5f4a0976f6b455b46e89dc0bab7ad2405e7 61456 
netty_4.1.48-10+deb13u1.debian.tar.xz
 ab25080e25f1678e479631bbca67468d1046b1e2 14669 
netty_4.1.48-10+deb13u1_source.buildinfo
Checksums-Sha256:
 b6dc5d7351acaf1b6d45123aa775317206cb786df4365625789a87ac1a4d2d1a 2551 
netty_4.1.48-10+deb13u1.dsc
 e5351d821f461f64af58e89f260ad8943b0ab75f26c1a845300a91f22a711600 1665244 
netty_4.1.48.orig.tar.xz
 af54ab17d8c2a5c1dcd65bfa9fddbdeb929a187efbc35b89de14ac68673cd0f4 61456 
netty_4.1.48-10+deb13u1.debian.tar.xz
 90ac80fd9c7eb14ffed43c99ce900194ad936afcd31296dd41a30a04adb04a21 14669 
netty_4.1.48-10+deb13u1_source.buildinfo
Files:
 ecf19318a52154180fed06ce5dca8c1f 2551 java optional netty_4.1.48-10+deb13u1.dsc
 ebc25581b3e2b6e1bb47200ba260a636 1665244 java optional netty_4.1.48.orig.tar.xz
 25add6a023a44d9d00007e7ff51fca59 61456 java optional 
netty_4.1.48-10+deb13u1.debian.tar.xz
 bdfaa4e9c26885fd6fabe13f28de81cc 14669 java optional 
netty_4.1.48-10+deb13u1_source.buildinfo
pgpm5y5lletld.pgp
Description: PGP signature
Accepted netty 1:4.1.48-10+deb13u1 (source) into proposed-updates

Reply via email to
