netty - Debian Package Tracker

general

source: netty (main)
version: 1:4.1.48-16
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Kyo Lee [DMD] – Graziano Obertelli [DMD] – Chris Grzegorczyk [DMD]
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:4.1.48-4+deb11u2
o-o-sec: 1:4.1.48-4+deb11u3
oldstable: 1:4.1.48-7+deb12u1
old-sec: 1:4.1.48-7+deb12u2
old-p-u: 1:4.1.48-7+deb12u2
stable: 1:4.1.48-10
stable-sec: 1:4.1.48-10+deb13u1
stable-p-u: 1:4.1.48-10+deb13u1
testing: 1:4.1.48-16
unstable: 1:4.1.48-16

versioned links

1:4.1.48-4+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.1.48-4+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.1.48-7+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.1.48-7+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.1.48-10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.1.48-10+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.1.48-16: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libnetty-buffer-java
libnetty-common-java
libnetty-java (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 4.2.12 high

A new upstream version 4.2.12 is available, you should consider packaging it.

Created: 2025-11-27 Last update: 2026-04-11 16:01

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2026-33870: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CVE-2026-33871: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Created: 2026-03-28 Last update: 2026-03-31 22:30

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2026-33870: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CVE-2026-33871: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Created: 2026-03-28 Last update: 2026-03-31 22:30

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2026-33870: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CVE-2026-33871: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Created: 2026-03-28 Last update: 2026-03-31 22:30

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2026-33870: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CVE-2026-33871: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Created: 2025-08-14 Last update: 2026-03-31 22:30

2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:

CVE-2026-33870: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CVE-2026-33871: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Created: 2026-03-28 Last update: 2026-03-31 22:30

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1:4.1.48-17, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit c549add863392de1c30e8ac7c81d34364fcdd834
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Apr 6 17:40:35 2026 +0200

    Fix ByteBuf type

commit 0c4fc7e4b9c921ecb9dde2a75b7c8a16efbe3dde
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Apr 6 17:15:53 2026 +0200

    Fix a typo

commit 8c4e14cce4f6c750cda0eb657d108ce822d4437a
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Apr 6 16:46:55 2026 +0200

    CVE-2026-33870

commit 1a58ead93eabf86495195fca2eab568833093aa3
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Apr 6 15:56:24 2026 +0200

    CVE-2026-33871

Created: 2026-04-06 Last update: 2026-04-06 16:30

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-02-09 Last update: 2026-02-09 04:01

debian/patches: 18 patches to forward upstream low

Among the 34 debian patches available in version 1:4.1.48-16 of the package, we noticed the following issues:

18 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-02-08 23:01

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.6.2).

Created: 2024-04-07 Last update: 2026-03-31 15:01

news

[rss feed]

[2026-03-31] Accepted netty 1:4.1.48-4+deb11u3 (source) into oldoldstable-security (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-03-14] Accepted netty 1:4.1.48-10+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
[2026-03-13] Accepted netty 1:4.1.48-7+deb12u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
[2026-03-11] Accepted netty 1:4.1.48-7+deb12u2 (source) into oldstable-security (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
[2026-03-11] Accepted netty 1:4.1.48-10+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
[2026-02-13] netty 1:4.1.48-16 MIGRATED to testing (Debian testing watch)
[2026-02-08] Accepted netty 1:4.1.48-16 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-02-08] Accepted netty 1:4.1.48-15 (source all) into experimental (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
[2025-12-09] netty 1:4.1.48-14 MIGRATED to testing (Debian testing watch)
[2025-12-03] Accepted netty 1:4.1.48-14 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-11-30] netty 1:4.1.48-13 MIGRATED to testing (Debian testing watch)
[2025-11-27] Accepted netty 1:4.1.48-13 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-11-21] netty 1:4.1.48-12 MIGRATED to testing (Debian testing watch)
[2025-11-19] Accepted netty 1:4.1.48-12 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-11-18] netty 1:4.1.48-11 MIGRATED to testing (Debian testing watch)
[2025-11-15] Accepted netty 1:4.1.48-11 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-06-21] Accepted netty 1:4.1.33-1+deb10u5 (source) into oldoldstable (Markus Koschany)
[2024-05-15] netty 1:4.1.48-10 MIGRATED to testing (Debian testing watch)
[2024-05-12] Accepted netty 1:4.1.48-10 (source) into unstable (Markus Koschany)
[2023-12-14] netty 1:4.1.48-9 MIGRATED to testing (Debian testing watch)
[2023-12-09] Accepted netty 1:4.1.48-9 (source) into unstable (Vladimir Petko) (signed by: tony mancill)
[2023-11-22] Accepted netty 1:4.1.48-7+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-11-22] Accepted netty 1:4.1.48-4+deb11u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2023-11-19] Accepted netty 1:4.1.33-1+deb10u4 (source) into oldoldstable (Markus Koschany)
[2023-11-18] Accepted netty 1:4.1.48-4+deb11u2 (source) into oldstable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2023-11-18] Accepted netty 1:4.1.48-7+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2023-11-17] netty 1:4.1.48-8 MIGRATED to testing (Debian testing watch)
[2023-11-11] Accepted netty 1:4.1.48-8 (source) into unstable (Markus Koschany)
[2023-01-28] netty 1:4.1.48-7 MIGRATED to testing (Debian testing watch)
[2023-01-22] Accepted netty 1:4.1.48-7 (source) into unstable (Pierre Gruet)

bugs [bug history graph]

all: 5
RC: 0
I&N: 4
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 2)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:4.1.48-16