Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted netty 1:4.1.48-13 (source) into unstable
Date: Thu, 27 Nov 2025 20:56:02 +0000
Signed by: Bastien ROUCARIÈS <rouca@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 25 Nov 2025 23:06:00 +0100
Source: netty
Architecture: source
Version: 1:4.1.48-13
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1113995
Changes:
 netty (1:4.1.48-13) unstable; urgency=high
 .
   * Team upload
   * Fix test for junit4 for CVE-2025-58057 improving
     backporting. Thanks to Edwin Jiang.
   * Fix CVE-2025-58056 (Closes: #1113995)
     Netty incorrectly accepts standalone newline
     characters (LF) as a chunk-size line terminator,
     regardless of a preceding carriage return (CR),
     instead of requiring CRLF per HTTP/1.1 standards.
     When combined with reverse proxies that parse LF
     differently (treating it as part of the
     chunk extension), attackers can craft requests
     that the proxy sees as one request but Netty
     processes as two, enabling request smuggling attacks.
Checksums-Sha1:
 56c15f2fbad526e4665af8d1073734ef7741387b 2422 netty_4.1.48-13.dsc
 022ad0c0c76dd4ba14b1e44d11cf0b99f0feeb2b 1665244 netty_4.1.48.orig.tar.xz
 1909f2c391dab2b7539d234c58a37617c659634d 58672 netty_4.1.48-13.debian.tar.xz
 9f35edf0ff06f2113e4212055e132406c4a735af 5405 netty_4.1.48-13_source.buildinfo
Checksums-Sha256:
 c791c5c609cb45a1928b2a6500af0fcfe6bd8ea76b12eec11e6aa71c5ef9d12b 2422 netty_4.1.48-13.dsc
 e5351d821f461f64af58e89f260ad8943b0ab75f26c1a845300a91f22a711600 1665244 netty_4.1.48.orig.tar.xz
 cd8c2e51cae1703be42f411def4f1ead87a9dc4d9e6ff094c33c48268f766121 58672 netty_4.1.48-13.debian.tar.xz
 f72999fce37a4b3ff4bbbbe97f1c57365b291d88bf7af294cd0edd1fb5b06f9d 5405 netty_4.1.48-13_source.buildinfo
Files:
 b92aa9ea75e315ef8b1f6b981abf3389 2422 java optional netty_4.1.48-13.dsc
 ebc25581b3e2b6e1bb47200ba260a636 1665244 java optional netty_4.1.48.orig.tar.xz
 ff42c0309d8a199fbd364ea894cb1eea 58672 java optional netty_4.1.48-13.debian.tar.xz
 c7e6b06c3efec83c5acd84a4d0ac48dd 5405 java optional netty_4.1.48-13_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmkoso8ACgkQADoaLapB
CF98Sg/+N9kXNp79KfFFDC3xFJK56OP0C/AL2XJwNp066y+5tCNG7VdI2EWEu3+R
LBfCjfTyrsUhm4Pbwg3wpKE4nOVMvDJ9lKJbu01kmAjEm70COHavbQU/7jbqit1y
6c/as5RSyzNCoRoSlZtEQiildbzu2hk5/4xR4+LX22407KLbsB0FinkCtiafaj9Z
zQ5VEP0Jy7tNIPW1cNmewnHEyZAaM8a88I0d3AIZJCvpOEHkGVpExTkWzZ+LqJsR
w7E1DGAQe38xLd4v89nW5IpNe8NyErsehLlp65mSlHUwiQyoj01u6mIg9FiBKc8R
/F6QTFKgziaPatFo55WRpUZ8O6vgU/kdeOg+DxSOW3sB6WhHhCHOhp04cWfezkYB
qQK+IfEzf7W04HOiFkTfJABby+jbvOJGvBj30wHvuWDS3rqv4N/K9YJPq3479QUt
5C9UacU5ZeLO6G4wq6jSUycoWxLUSzLh4/9yh3M6gCAQrovMTAtx2UJGq9f6x84V
4xfM5OoHhyom1fstyWYFijyMuKHPjYuLmkLxG/T6lHqCGSEs205/OvMde537hISC
7aecgcR5fndMFrkwsUiOkkI2USaCD5/XSo+xRU9hr/CZqeMVo6va8TmgNKL+VzdV
xd8pRwnvRy2mdwzIRbBHq48ceWz9RyipI9Y4CxxJMOTnFFiL7/M=
=Uj2Z
-----END PGP SIGNATURE-----
News for package netty
