Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted netty 1:4.1.48-4+deb11u3 (source) into oldoldstable-security
Date: Tue, 31 Mar 2026 08:30:15 +0000
Signed by: Bastien ROUCARIÈS <rouca@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Mar 2026 18:34:22 +0200
Source: netty
Architecture: source
Version: 1:4.1.48-4+deb11u3
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1068110 1111105 1113994 1118282 1123606
Changes:
 netty (1:4.1.48-4+deb11u3) bullseye-security; urgency=medium
 .
   * Team upload
   * Fix CVE-2024-29025 (Closes: #1068110)
     The `HttpPostRequestDecoder` can be tricked to accumulate data.
     While the decoder can store items on the disk if configured so,
     there are no limits to the number of fields the form can have,
     an attacher can send a chunked post consisting of many small
     fields that will be accumulated in the `bodyListHttpData` list.
     The decoder cumulates bytes in the `undecodedChunk` buffer
     until it can decode a field, this field can cumulate data
     without limits
   * Fix CVE-2025-55163 (Closes: #1111105)
     Netty is vulnerable to MadeYouReset DDoS.
     This is a logical vulnerability in the HTTP/2 protocol,
     that uses malformed HTTP/2 control frames in order to break
     the max concurrent streams limit, which results in resource
     exhaustion and distributed denial of service.
   * Fix CVE-2025-58056 (Closes: #1113994)
     when supplied with specially crafted input, BrotliDecoder and
     certain other decompression decoders will allocate a large
     number of reachable byte buffers, which can lead to
     denial of service. BrotliDecoder.decompress has
     no limit in how often it calls pull, decompressing
     data 64K bytes at a time. The buffers are saved in
     the output list, and remain reachable until OOM is hit.
   * Fix CVE-2025-58057:
     When supplied with specially crafted input, BrotliDecoder
     and certain other decompression decoders will allocate
     a large number of reachable byte buffers, which can lead
     to denial of service. BrotliDecoder.decompress has no limit
     in how often it calls pull, decompressing data 64K bytes at
     a time. The buffers are saved in the output list, and remain
     reachable until OOM is hit.
     (Closes: #1113994)
   * Fix CVE-2025-59419 (Closes: #1118282)
     SMTP Command Injection Vulnerability Allowing Email Forgery
     An SMTP Command Injection (CRLF Injection) vulnerability
     in Netty's SMTP codec allows a remote attacker who can control
     SMTP command parameters (e.g., an email recipient)
     to forge arbitrary emails from the trusted server.
     This bypasses standard email authentication and can
     be used to impersonate executives and forge high-stakes
     corporate communications.
   * Fix CVE-2025-67735 (Closes: #1123606)
     `io.netty.handler.codec.http.HttpRequestEncoder`
     has a CRLF injection with the request URI when constructing
     a request. This leads to request smuggling when
     `HttpRequestEncoder` is used without proper sanitization
     of the URI. Any application / framework using `HttpRequestEncoder`
     can be subject to be abused to perform request smuggling using
     CRLF injection
Checksums-Sha1:
 c8d85b78023deea31422098934ba9ec61b1977be 2470 netty_4.1.48-4+deb11u3.dsc
 022ad0c0c76dd4ba14b1e44d11cf0b99f0feeb2b 1665244 netty_4.1.48.orig.tar.xz
 07b2dc52aae2f0d1f21e13543f6153d2d86a2663 57628 netty_4.1.48-4+deb11u3.debian.tar.xz
 485221b25e89019e9569a464345a6bd30947d575 14623 netty_4.1.48-4+deb11u3_source.buildinfo
Checksums-Sha256:
 d71d0c1fde75d5462a54057be3dd0f03f6bd651c88a0421c6bdc0e84b39d1b1a 2470 netty_4.1.48-4+deb11u3.dsc
 e5351d821f461f64af58e89f260ad8943b0ab75f26c1a845300a91f22a711600 1665244 netty_4.1.48.orig.tar.xz
 8087ea20ce825181c1b4ec12ac1e91654473da465540276f03856917a286aaa5 57628 netty_4.1.48-4+deb11u3.debian.tar.xz
 57a3470c79e98638e3ee9ca1d9fcbe6574bf80c4374337be4105b6da2c58edab 14623 netty_4.1.48-4+deb11u3_source.buildinfo
Files:
 b1480084e0a74487ee1130ce790bd65e 2470 java optional netty_4.1.48-4+deb11u3.dsc
 ebc25581b3e2b6e1bb47200ba260a636 1665244 java optional netty_4.1.48.orig.tar.xz
 4e89bca3dab5e590b37d12ff4bc33944 57628 java optional netty_4.1.48-4+deb11u3.debian.tar.xz
 71e40fe26fea0caf6f4cb436dd4bcd2e 14623 java optional netty_4.1.48-4+deb11u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmnLgwkACgkQADoaLapB
CF/tQA/9HkzgzpmL3DxBrJe4gAYfb8S0X15ZokU+rX/2S4qB2Q8d6BlLRp5oRerK
nNrBXdIKe92KYvjmOHC2KMmys+3/3HcNEthzjOLDKUzfg0j5eT7B/nQRdRh5U2js
v3EIqXZ2lOiOnqgoTC9goQ4BFs1ECOKi3hfEhY2BvPqv/58yLeA1U8lcZf9gkidj
u/Kd82/hc5wd0Gihbi1Rp1uZ8nX1dWP7rKEmUan04iu+2ciBcLBqZtT7YVXSs1I6
2ickwu6iSI6Ikb89HjbTyM5cKB0RSnARkU4IUrD149oRiJjTM4WBJopPpdyi5TDC
mD0/56XTvweS3xexDCGCbpoQOZ9vM3FySZbYi9jRtWrHCkKygnqWhssCgwPaWLbC
mT1PWzptTnTo6soFW4gnLPYk96kwakskK2hspdDzPR26sBtxGTQ5uZYvPxyS1C2v
VIapBON+77U0S9OXamDmUlkNZTb5frARU1fnna9msVcIA30tRWY0cFgOYVWpCrrm
LvoRlafukxeP2ZOlFpDkwY8qEYeR7j63TS1aHIn3Kyquu1mFP/13R7Po+nG6d0aY
SffOIlENO6zcZdSfXNNj96wUk9pZMF2l5SeDoWTf7B/ut1QPqIQ2Tm8dP862fZgt
d1eYvOEJ2Lq+soTZhEMSSrIjYddVS2uk79XUxyoH7sOdty0BEFI=
=Nwv0
-----END PGP SIGNATURE-----
News for package netty
