-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 16 Nov 2025 09:30:49 +0100 Source: netty Architecture: source Version: 1:4.1.48-12 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Bastien Roucariès <rouca@debian.org> Closes: 1113994 Changes: netty (1:4.1.48-12) unstable; urgency=high . * Team upload * Fix CVE-2025-58057: When supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. (Closes: #1113994) Checksums-Sha1: 9eaf4559cea779aff3cfec6e9101633f79ba160b 2447 netty_4.1.48-12.dsc 022ad0c0c76dd4ba14b1e44d11cf0b99f0feeb2b 1665244 netty_4.1.48.orig.tar.xz 4b3af54bbf85900b0f7c54fe8bb1c4a8fe1e7baf 54792 netty_4.1.48-12.debian.tar.xz 57842408b5c6e34212b111cf358f251d5bd8f20d 5430 netty_4.1.48-12_source.buildinfo Checksums-Sha256: c35b25c745caaac0f407b52d42dd13b9d2cafcf63256315e14dd1589114a534b 2447 netty_4.1.48-12.dsc e5351d821f461f64af58e89f260ad8943b0ab75f26c1a845300a91f22a711600 1665244 netty_4.1.48.orig.tar.xz 302c7a604b6be30a617dad2ec77ff920d3b7ea3cbdd3524d7f0f22a048aaf52c 54792 netty_4.1.48-12.debian.tar.xz 8ec9ad5c784b1d8039e621f3fd9d278885ae035356321ddd4b99d5e4956ef451 5430 netty_4.1.48-12_source.buildinfo Files: a6094f329fb94c14838bf2469a3410d0 2447 java optional netty_4.1.48-12.dsc ebc25581b3e2b6e1bb47200ba260a636 1665244 java optional netty_4.1.48.orig.tar.xz 887560581ec03192328539a348becb9d 54792 java optional netty_4.1.48-12.debian.tar.xz 9bc0504ab81737f02d3553a85d70df67 5430 java optional netty_4.1.48-12_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmkdpsMRHHJvdWNhQGRl Ymlhbi5vcmcACgkQADoaLapBCF9HQg//b9c+N0Oy1yoEdxcIHifqPmHMNSonK6uY pQJh0tgwaGs/4L1Y8mU0RTnXnv1Ufk20mvYPBl3JuZahpQxD6iU0wRP/BSpKL/NU lhPzuKWRbW+TEWqGZ/BxqsIWZ6Pjt1a5emJwAPTg72/8h94+wpKXXl+U7w5aZSEu 4Bq0ymBYrpCYfS/iEWUDlCSw9fbyinMZIB69awkuO2LkLUeyMLBVir66X1f2dRmP iY8+bA4LSO2FNl0LHUDGEYewGdiGWZrerWycF6aG3AvIj7mOmBtiTLsIM31RghCR 0GXHrNZOAefS5JdWErorMzqUcgsB6AIrC7+dLdbrVs6mjhz8mulIK5j95P4izdlg woyHvbbASobgq7L0PlOTqwMqiIy8b5T9Lwb8QdOfMWgsRDVWnyX4+zbaCB/5FWj6 4iB0iAmihX1Z1vvWp8L7XDtllsAJypEWZ/tyuEqYtWXc6v/k33idmzk/Q7cZbP/E LglQtLAsV7ZtrlIk3Qtt4Tv5SnQjii3/BGxNb96cg7JXzeXHloXlBaO0j6kbGiou FSUExCZv1k9Vzuysk0mJUdqCthYKWir5LAu4aDGTrtYiZS5Zt4FG8+Ch83DVDhiU z2wQhUh1BW7RotJenLzCi6MH9bOlLEUFNNAlNHxT/5mCXCOWUXoAJbyC/O/wbaBq t9kZ5WLNZSo= =0AFl -----END PGP SIGNATURE-----
