-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 09 Feb 2026 11:26:12 +0100
Source: netty
Binary: libnetty-java
Architecture: all
Version: 1:4.1.48-7+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-conova-01) <buildd_amd64-x86-conova-01@buildd.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 libnetty-java - Java NIO client/server socket framework
Closes: 1068110 1111105 1113994 1118282 1123606
Changes:
 netty (1:4.1.48-7+deb12u2) bookworm-security; urgency=medium
 .
   * Team upload
   * Fix CVE-2024-29025 (Closes: #1068110)
     The `HttpPostRequestDecoder` can be tricked to accumulate data.
     While the decoder can store items on the disk if configured so,
     there are no limits to the number of fields the form can have,
     an attacher can send a chunked post consisting of many small
     fields that will be accumulated in the `bodyListHttpData` list.
     The decoder cumulates bytes in the `undecodedChunk` buffer
     until it can decode a field, this field can cumulate data
     without limits
   * Fix CVE-2025-55163 (Closes: #1111105)
     Netty is vulnerable to MadeYouReset DDoS.
     This is a logical vulnerability in the HTTP/2 protocol,
     that uses malformed HTTP/2 control frames in order to break
     the max concurrent streams limit, which results in resource
     exhaustion and distributed denial of service.
   * Fix CVE-2025-58056 (Closes: #1113994)
     when supplied with specially crafted input, BrotliDecoder and
     certain other decompression decoders will allocate a large
     number of reachable byte buffers, which can lead to
     denial of service. BrotliDecoder.decompress has
     no limit in how often it calls pull, decompressing
     data 64K bytes at a time. The buffers are saved in
     the output list, and remain reachable until OOM is hit.
   * Fix CVE-2025-58057:
     When supplied with specially crafted input, BrotliDecoder
     and certain other decompression decoders will allocate
     a large number of reachable byte buffers, which can lead
     to denial of service. BrotliDecoder.decompress has no limit
     in how often it calls pull, decompressing data 64K bytes at
     a time. The buffers are saved in the output list, and remain
     reachable until OOM is hit.
     (Closes: #1113994)
   * Fix CVE-2025-59419 (Closes: #1118282)
     SMTP Command Injection Vulnerability Allowing Email Forgery
     An SMTP Command Injection (CRLF Injection) vulnerability
     in Netty's SMTP codec allows a remote attacker who can control
     SMTP command parameters (e.g., an email recipient)
     to forge arbitrary emails from the trusted server.
     This bypasses standard email authentication and can
     be used to impersonate executives and forge high-stakes
     corporate communications.
   * Fix CVE-2025-67735 (Closes: #1123606)
     `io.netty.handler.codec.http.HttpRequestEncoder`
     has a CRLF injection with the request URI when constructing
     a request. This leads to request smuggling when
     `HttpRequestEncoder` is used without proper sanitization
     of the URI. Any application / framework using `HttpRequestEncoder`
     can be subject to be abused to perform request smuggling using
     CRLF injection
Checksums-Sha1:
 2098aeb5d0307591484ff14defc02826f6210681 3626988 libnetty-java_4.1.48-7+deb12u2_all.deb
 19fb9d560257f11e1c0ba616162208fa8ff05ae2 15788 netty_4.1.48-7+deb12u2_all-buildd.buildinfo
Checksums-Sha256:
 a8368dfd04f0dc8f6c9234fd99069106a9be0a60f7a71e6d212ab7629cd1e1a3 3626988 libnetty-java_4.1.48-7+deb12u2_all.deb
 47766bb8fa441a5748560649ad80a266e681eb2c3fe2e542e2d1c8dcb2411a42 15788 netty_4.1.48-7+deb12u2_all-buildd.buildinfo
Files:
 410060abc3722682bbe3a737bc045996 3626988 java optional libnetty-java_4.1.48-7+deb12u2_all.deb
 aec4365a7c0caae954f97259639c8824 15788 java optional netty_4.1.48-7+deb12u2_all-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEaPzFtKPtF0JrKPV5iZlfn74WV6kFAmmfAEsACgkQiZlfn74W
V6lB2g//c0DdH3UcyGl082RjwQ3s1aDtGnppKQh6idyl1HKcGpy0bY+8UAdY7UOZ
k5qHRZt9w0/v1RtwdvEuGiqCtkqvCaqPkXz3RiNENuX04/P/BJcwkC2Trm3n9MJv
OyFUBoJNg/EYOUkqKT8zcdN/mU4Mee4ZzhBVG+6RA8Q4tpfOT3aMqlHlCgzUaRQP
RpGf1x4nOnicHb3eqek0Fb4VgHTda3kh1SGSHh2XQjTMZZw+RvFylbSTCkaCrTZM
Vf9HX605NngbfblVHXHzP5FOKLThrFh+5Cdl8cKV5gn0Q/smUMZSmAjThRUJLZ0E
+txt8ME/GCmKcC/WDG9TqhLn/G0cVo0lwQlvi547D3uLI2jCp+CI50xmd+G6Vgru
aXhSeBod3OEhfLTJBXpeQrgLkxMk05BJpS6t7y7Q8hDwEQ5EK8qI5XDf20kWj310
NCt7kZQ7oGs9XdehoJqMFFoED8+M1nmH73klYaeMT9+t002j7DME6d1PYApES+tl
e4GOGRYXTCHm1zv7/LgbOcCRBPtutc4OF5e5QhpIL7Z8TW9vCdtbnKz2QraYPZc3
7dwCcH09xryjSCcaD6k9AeMD/bnu3nfC1fvJ07L6IfHB2DXakVOkD+0dWH5vW/v0
0oAO7FmimXmIWjkPP52AaLKG1lWIUmwIXCWeQ5JWj9aFZTGZ+nI=
=eEug
-----END PGP SIGNATURE-----