netty (1:4.1.48-4+deb11u2) bullseye-security; urgency=high * Team upload. * Fix CVE-2023-34462: (Closes: #1038947) Guard against high memory usage when parsing ClientHello messages. * Fix CVE-2023-44487: (Closes: #1054234) The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly. * Add 21-java-17.patch to fix a FTBFS with newer OpenJDK versions. -- Markus Koschany Sat, 18 Nov 2023 15:32:05 +0100 netty (1:4.1.48-4+deb11u1) bullseye-security; urgency=high * Team upload. * Fix CVE-2021-37136, CVE-2021-37137, CVE-2021-43797, CVE-2022-41881, and CVE-2022-41915. Several out-of-memory, stack overflow or HTTP request smuggling vulnerabilities have been discovered in Netty which may allow attackers to cause a denial of service or bypass restrictions when used as a proxy. (Closes: #1027180, #1014769, #1001437) -- Markus Koschany Sun, 01 Jan 2023 19:17:21 +0100 netty (1:4.1.48-4) unstable; urgency=high * Team upload. * Fix CVE-2021-21409 (Closes: #986217) Address a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup to CVE-2021-21295 to address this case. -- tony mancill Wed, 31 Mar 2021 22:01:52 -0700 netty (1:4.1.48-3) unstable; urgency=high * Team upload. * Fix CVE-2021-21295: There is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. (Closes: #984948) -- Markus Koschany Fri, 26 Mar 2021 13:37:15 +0100 netty (1:4.1.48-2) unstable; urgency=high * Team upload. * Fix CVE-2021-21290: In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Thanks to Salvatore Bonaccorso for the report. (Closes: #982580) * Switch to debhelper-compat = 13. * Declare compliance with Debian Policy 4.5.1. -- Markus Koschany Mon, 15 Feb 2021 00:17:55 +0100 netty (1:4.1.48-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches -- Emmanuel Bourg Mon, 06 Apr 2020 00:17:03 +0200 netty (1:4.1.45-2) unstable; urgency=medium * Team upload. * Enable building of transport-native-kqueue. - Needed to update async-http-client. -- Sudip Mukherjee Fri, 20 Mar 2020 16:35:51 +0000 netty (1:4.1.45-1) unstable; urgency=medium * Team upload. * New upstream release - Fixes CVE-2019-20444, CVE-2019-20445 and CVE-2020-7238 (Closes: #950966, #950967) - Refreshed the patches - Updated the Maven rules - Depend on libnetty-tcnative-java (>= 2.0.28) - Disabled the native image support due to missing dependencies - Disabled the BlockHound integration * Standards-Version updated to 4.5.0 -- Emmanuel Bourg Mon, 24 Feb 2020 17:10:37 +0100 netty (1:4.1.33-3) unstable; urgency=medium * Team upload. * Apply patch for FTBFS on 32-bit architectures. (Closes: #923455) Thank you to Sjoerd Simons for the patch. * Set "Rules-Requires-Root: no" in debian/control * Specify debhelper compat 12 via debhelper-compat dependency * Bump Standards-Version to 4.4.1 -- tony mancill Wed, 08 Jan 2020 20:40:19 -0800 netty (1:4.1.33-2) unstable; urgency=high * Team upload. * Correctly handle whitespaces in HTTP header names as defined by RFC7230#section-3.2.4 (CVE-2019-16869) (Closes: #941266) -- Salvatore Bonaccorso Thu, 02 Jan 2020 20:47:57 +0100 netty (1:4.1.33-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches - Depend on libnetty-tcnative-java (>= 2.0.20) * Removed the wrong --has-package-version flag * Standards-Version updated to 4.3.0 -- Emmanuel Bourg Tue, 22 Jan 2019 14:06:25 +0100 netty (1:4.1.29-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches - Depend on libjctools-java (>= 2.0) - Depend on libnetty-tcnative-java (>= 2.0) - No longer depend on libasm-java - Disabled Conscrypt support (missing dependency) - Build the new transport-native-unix-common module - Install the new Bill of Materials - Ignore the new dev-tools, testsuite-autobahn, testsuite-http2, testsuite-shading, transport-native-kqueue and transport-native-unix-common-tests modules - Ignore the forbiddenapis and maven-remote-resources-plugin plugins - Removed the Maven wrapper from the upstream tarball * Removed the build dependency on libmaven-scm-java and ivy * Removed Damien Raude-Morvan from the uploaders (Closes: #889432) * Standards-Version updated to 4.2.1 * Switch to debhelper level 11 * Use salsa.debian.org Vcs-* URLs * Install the NOTICE file as required by the Apache-2.0 license -- Emmanuel Bourg Tue, 04 Sep 2018 23:41:23 +0200 netty (1:4.1.7-4) unstable; urgency=medium * Team upload. * Update debian/watch to repack with xz compression * Bump Standards-Version to 4.0.0 * Update jctools2 patch for approach used upstream (see #866771) -- tony mancill Sun, 30 Jul 2017 08:31:35 -0700 netty (1:4.1.7-3) unstable; urgency=medium * Team upload. * Add patch to build against jctools 2.0 (Closes: #866771) * Update libjctools-java build-dep to version 2.0 -- tony mancill Sat, 22 Jul 2017 18:56:07 -0700 netty (1:4.1.7-2) unstable; urgency=medium * Team upload. * Fixed the netty-all pom (Closes: #852255) -- Emmanuel Bourg Mon, 23 Jan 2017 09:32:14 +0100 netty (1:4.1.7-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches - Build the new modules: codec-dns, codec-http2, codec-memcache, codec-mqtt, codec-redis, codec-smtp, codec-stomp, handler-proxy, resolver-dns and resolver - Ignore the new codec-xml module (missing dependency) - New dependency: groovy, libcompress-lzf-java, libgoogle-gson-java - Adapted codegen.groovy to run without the groovy-maven-plugin - Ignore the new test dependencies - Disabled lz4, lzma and protobuf nano support due to missing dependencies -- Emmanuel Bourg Mon, 16 Jan 2017 09:14:21 +0100 netty (1:4.0.42-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches * Switch to debhelper level 10 -- Emmanuel Bourg Sun, 30 Oct 2016 00:12:28 +0200 netty (1:4.0.41-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches - Depend on netty-tcnative (>= 1.1.33.Fork21) -- Emmanuel Bourg Tue, 30 Aug 2016 08:52:52 +0200 netty (1:4.0.40-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches - New dependency on libjctools-java - New build dependency on libmaven-shade-plugin-java * Build the netty-transport-native-epoll module * Depend on ant-contrib >= 1.0~b3+svn177-8 and dropped the dependency on libbcel-java -- Emmanuel Bourg Wed, 03 Aug 2016 01:04:26 +0200 netty (1:4.0.37-1) unstable; urgency=high * Team upload. * New upstream release. (Closes: #827620) CVE-2016-4970 * Add build-dependency on liblog4j2-java. -- tony mancill Sat, 18 Jun 2016 14:45:03 -0700 netty (1:4.0.36-2) unstable; urgency=medium * Team upload. * Removed the empty classifier for the tcnative dependency since it breaks the Gradle dependencies resolution -- Emmanuel Bourg Tue, 24 May 2016 00:45:11 +0200 netty (1:4.0.36-1) unstable; urgency=medium * Team upload. * New upstream release * Depend on libasm-java (>= 5.0) instead of libasm4-java * Standards-Version updated to 3.9.8 (no changes) -- Emmanuel Bourg Sun, 24 Apr 2016 19:20:27 +0200 netty (1:4.0.35-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches - Updated the Maven rules * Standards-Version updated to 3.9.7 (no changes) * Use secure Vcs-* fields -- Emmanuel Bourg Mon, 28 Mar 2016 23:03:36 +0200 netty (1:4.0.34-1) unstable; urgency=medium * Team upload. * New upstream release - Depend on netty-tcnative (>= 1.1.33.Fork11) * Build with the DH sequencer instead of CDBS * Made the versions.properties embedded in the jar files reproducible -- Emmanuel Bourg Sun, 31 Jan 2016 23:39:15 +0100 netty (1:4.0.33-1) unstable; urgency=medium * Team upload. * New upstream release -- Emmanuel Bourg Thu, 19 Nov 2015 23:37:59 +0100 netty (1:4.0.32-1) unstable; urgency=medium * Team upload. * New upstream release: - Refreshed the patches -- Emmanuel Bourg Sat, 03 Oct 2015 01:12:58 +0200 netty (1:4.0.31-1) unstable; urgency=medium * Team upload. [ Emmanuel Bourg ] * New upstream release: - Build with maven-debian-helper - Fixes CVE-2015-2156 (Closes: #796114) * debian/control: - Team maintenance by Debian Java Maintainers - Standards-Version updated to 3.9.6 (no changes) - Removed the deprecated DM-Upload-Allowed field * debian/watch: Track the release tags on GitHub * Moved the package to Git * Switch to debhelper level 9 [ Charles Plessy ] * Updated homepage (debian/control). -- Emmanuel Bourg Sat, 12 Sep 2015 23:26:11 +0200 netty (1:3.2.6.Final-2) unstable; urgency=low * Merge from James Page (thanks!): * Enable test suite to support Ubuntu MIR (LP: #913878) (Closes: #658250): - d/build.xml: Add extra targets to compile and execute unit tests. - d/rules: Add testing dependencies to build classpath. - d/control: Added junit4 and libeasymock-java to BDI's and ant-optional to BD's. * d/orig-tar.sh; Dropped - not used. -- Damien Raude-Morvan Sun, 12 Feb 2012 12:43:50 +0100 netty (1:3.2.6.Final-1) unstable; urgency=low * New upstream release (Closes: #643832): - Update watch file for github. * Add myself to Uploaders. * Use maven-repo-helper to install jar. * Bump to Standards-Version to 3.9.2: - Provide a get-orig-source target. - Drop Depends on default-jre-headless. - Drop XSBC-* fields (Ubuntu specific) - Add Homepage field. - Add Vcs-* fields. * Use debhelper 7 compat level. * Fix copyright: - now under Apache-2.0 licence. - update to DEP-5. * Switch to 3.0 (quilt) source format. * Add Recommends on logging frameworks. -- Damien Raude-Morvan Wed, 23 Nov 2011 21:14:19 +0100 netty (1:3.1.0.CR1-1) unstable; urgency=low * Port package to pkg-java based largely on existing Ubuntu package * Pull sources from svn to build orig tarball avoiding DFSG non-compliance * debian/copyright, debian/README.source: Update to reflect DFSG-compliant packaging. -- Chris Grzegorczyk Thu, 17 Dec 2009 03:12:31 -0800 netty (3.1.0.CR1+dfsg-0ubuntu1) karmic; urgency=low * Repackaged orig tarball to avoid shipping sourceless doc/ elements. * debian/copyright, debian/README.source: Explain repacking. -- Thierry Carrez Wed, 26 Aug 2009 15:13:13 +0200 netty (3.1.0.CR1-0ubuntu1) karmic; urgency=low * Initial release. New Eucalyptus dependency. -- Thierry Carrez Tue, 21 Jul 2009 16:48:12 +0200