Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted netty 1:4.1.48-11 (source) into unstable
Date: Sat, 15 Nov 2025 11:20:55 +0000
Signed by: Bastien ROUCARIÈS <rouca@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 15 Nov 2025 10:09:07 +0100
Source: netty
Architecture: source
Version: 1:4.1.48-11
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1111105 1113994 1118282
Changes:
 netty (1:4.1.48-11) unstable; urgency=high
 .
   * Team upload
   * Fix CVE-2025-55163 (Closes: #1111105)
     Netty is vulnerable to MadeYouReset DDoS.
     This is a logical vulnerability in the HTTP/2 protocol,
     that uses malformed HTTP/2 control frames in order to break
     the max concurrent streams limit, which results in resource
     exhaustion and distributed denial of service.
   * Fix CVE-2025-58056 (Closes: #1113994)
     when supplied with specially crafted input, BrotliDecoder and
     certain other decompression decoders will allocate a large
     number of reachable byte buffers, which can lead to
     denial of service. BrotliDecoder.decompress has
     no limit in how often it calls pull, decompressing
     data 64K bytes at a time. The buffers are saved in
     the output list, and remain reachable until OOM is hit.
   * Fix CVE-2025-59419 (Closes: #1118282)
     SMTP Command Injection Vulnerability Allowing Email Forgery
     An SMTP Command Injection (CRLF Injection) vulnerability
     in Netty's SMTP codec allows a remote attacker who can control
     SMTP command parameters (e.g., an email recipient)
     to forge arbitrary emails from the trusted server.
     This bypasses standard email authentication and can
     be used to impersonate executives and forge high-stakes
     corporate communications.
Checksums-Sha1:
 cd6f83e56f478f57da9a72c7adc4da977a791a7f 2422 netty_4.1.48-11.dsc
 022ad0c0c76dd4ba14b1e44d11cf0b99f0feeb2b 1665244 netty_4.1.48.orig.tar.xz
 b4c4f5e7d14ecd8176790fdb576285458ade54f5 49368 netty_4.1.48-11.debian.tar.xz
 528c4381c8e1c7db783a7ffbbd963c2a7d95d2cc 5457 netty_4.1.48-11_source.buildinfo
Checksums-Sha256:
 2316f18cae40923b90e4afeae1c3823f688974517c5cf752ea9651fbd41577f5 2422 netty_4.1.48-11.dsc
 e5351d821f461f64af58e89f260ad8943b0ab75f26c1a845300a91f22a711600 1665244 netty_4.1.48.orig.tar.xz
 da65bdece5567cf48a8503a08fc7f452cb73a43eb7b40e97c86eca81160f69cf 49368 netty_4.1.48-11.debian.tar.xz
 4465df796b8eda5750b0ceb6cc5a55bd52c1a0a15a7b9696356b4cb16ef849f2 5457 netty_4.1.48-11_source.buildinfo
Files:
 7a6f6c5dd79ecf6641c372e82303ec1d 2422 java optional netty_4.1.48-11.dsc
 ebc25581b3e2b6e1bb47200ba260a636 1665244 java optional netty_4.1.48.orig.tar.xz
 68bdef39faed4be9876515542940ce59 49368 java optional netty_4.1.48-11.debian.tar.xz
 ea59261856d74fd356331a800cc32af3 5457 java optional netty_4.1.48-11_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmkYU5EACgkQADoaLapB
CF91Bw/+Mpw8KQuPLdhRrbYDgdaNjOD9FFuP7SFv5hgdbCom+0EwcShHosSRjQvb
ioZivuU5o/NPxp+bbQ3N+Zs03oFOVdVgCrJ5yRf5B29ps/rBoosreBajqq0LiVhT
aEbfVaI3Sz70Q7aEGkuF7bDOMy6VoEojINn3/KC+xUucRAeuAwoJYFiwlCxLeNBF
Qz3EfULesEqmlrif9T5g+tGbxZbgYwaNdQaVspjm3XLC3k8dhnuJCD03dj0TGSCV
cndIVz0CMxwl/l4Q/ucMNOLC4jj3sZus3e319Js9xB+t32g/k8U1NOsOsFwzi3Gm
nfEmnMb4HF2T+wN7QTlseiTj8nWcYfU4Joae4wwE459cENJzjDAtoTkwqrbakyyd
Vd0LdpQZTwAo1SwoDunbGEFVE44mBFWS55XaIjZXrPSmHTeuuX7MVnRDF9sR/7Jg
22Q6CVb5oy09ZyAvSb0DAcp/QIQJiTz6zEOIsjk9/is33UT7IBn/5r2fyGOof7Os
CM9UNw9O0t7RTYtXKhlJaDlGp3ZDPdt3M+6UXsxXT0akcRcTkKIIvTcYbIDyKjSR
u2u7+bzCdNN6eX01cM71j3Ul7kYgJD/Po0S5I0hJYgof6dctnMENGn4N0LxzqiVz
GwcjHwO0XQpng5QlwEX9KqccQHSukbmIG1dAtsdll3zI0BTBE+o=
=it/W
-----END PGP SIGNATURE-----
News for package netty
