-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 09 Feb 2026 11:26:12 +0100
Source: netty
Architecture: source
Version: 1:4.1.48-7+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1068110 1111105 1113994 1118282 1123606
Changes:
 netty (1:4.1.48-7+deb12u2) bookworm-security; urgency=medium
 .
   * Team upload
   * Fix CVE-2024-29025 (Closes: #1068110)
     The `HttpPostRequestDecoder` can be tricked to accumulate data.
     While the decoder can store items on the disk if configured so,
     there are no limits to the number of fields the form can have,
     an attacher can send a chunked post consisting of many small
     fields that will be accumulated in the `bodyListHttpData` list.
     The decoder cumulates bytes in the `undecodedChunk` buffer
     until it can decode a field, this field can cumulate data
     without limits
   * Fix CVE-2025-55163 (Closes: #1111105)
     Netty is vulnerable to MadeYouReset DDoS.
     This is a logical vulnerability in the HTTP/2 protocol,
     that uses malformed HTTP/2 control frames in order to break
     the max concurrent streams limit, which results in resource
     exhaustion and distributed denial of service.
   * Fix CVE-2025-58056 (Closes: #1113994)
     when supplied with specially crafted input, BrotliDecoder and
     certain other decompression decoders will allocate a large
     number of reachable byte buffers, which can lead to
     denial of service. BrotliDecoder.decompress has
     no limit in how often it calls pull, decompressing
     data 64K bytes at a time. The buffers are saved in
     the output list, and remain reachable until OOM is hit.
   * Fix CVE-2025-58057:
     When supplied with specially crafted input, BrotliDecoder
     and certain other decompression decoders will allocate
     a large number of reachable byte buffers, which can lead
     to denial of service. BrotliDecoder.decompress has no limit
     in how often it calls pull, decompressing data 64K bytes at
     a time. The buffers are saved in the output list, and remain
     reachable until OOM is hit.
     (Closes: #1113994)
   * Fix CVE-2025-59419 (Closes: #1118282)
     SMTP Command Injection Vulnerability Allowing Email Forgery
     An SMTP Command Injection (CRLF Injection) vulnerability
     in Netty's SMTP codec allows a remote attacker who can control
     SMTP command parameters (e.g., an email recipient)
     to forge arbitrary emails from the trusted server.
     This bypasses standard email authentication and can
     be used to impersonate executives and forge high-stakes
     corporate communications.
   * Fix CVE-2025-67735 (Closes: #1123606)
     `io.netty.handler.codec.http.HttpRequestEncoder`
     has a CRLF injection with the request URI when constructing
     a request. This leads to request smuggling when
     `HttpRequestEncoder` is used without proper sanitization
     of the URI. Any application / framework using `HttpRequestEncoder`
     can be subject to be abused to perform request smuggling using
     CRLF injection
Checksums-Sha1:
 8dc28660bbb025c2f06bf5c94e3c56c5eaf269d0 2449 netty_4.1.48-7+deb12u2.dsc
 022ad0c0c76dd4ba14b1e44d11cf0b99f0feeb2b 1665244 netty_4.1.48.orig.tar.xz
 fe8e785301d51793f2b3adb3abb956267e431e85 57888 netty_4.1.48-7+deb12u2.debian.tar.xz
 c710858538ca0eef0a9e48dd4ea4e5266855e944 14567 netty_4.1.48-7+deb12u2_source.buildinfo
Checksums-Sha256:
 06bee0b9ef847f6d21380229e15a85b9f8a4e8cb89e8f889e04f90eed9e69da7 2449 netty_4.1.48-7+deb12u2.dsc
 e5351d821f461f64af58e89f260ad8943b0ab75f26c1a845300a91f22a711600 1665244 netty_4.1.48.orig.tar.xz
 4acfbf9a2e2d51e8e4c21c7532b65dccc6db3ab561a40049d56219f89f09fc1a 57888 netty_4.1.48-7+deb12u2.debian.tar.xz
 4f9747a0ade9564c7bb5674164b99be5dd168fafaf62846f7d1121905eb8cc35 14567 netty_4.1.48-7+deb12u2_source.buildinfo
Files:
 9a2f2b0d9f543361690c0748ec506bb5 2449 java optional netty_4.1.48-7+deb12u2.dsc
 ebc25581b3e2b6e1bb47200ba260a636 1665244 java optional netty_4.1.48.orig.tar.xz
 fba157d4962aed3268edfe3eb569872d 57888 java optional netty_4.1.48-7+deb12u2.debian.tar.xz
 feb8a5c16bd368957ec3fe20b53cd4e2 14567 java optional netty_4.1.48-7+deb12u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmme+b4ACgkQADoaLapB
CF9iIw/+LARGbP0mgPSXoTReCjmNF3lzwP4VEO86Vig5G11MxDeC8z08aopZ0yT+
qhZy1D2aVa6OqAfq0pVf7eOqN/OiD8PNbe619aSP2GmneoUDtqcya1BGeqBSLAMY
ea3u3PT1zmhKubYAF/wcdU8zr/4UwAoLrRU2EwAUsLVcU3D3gasUr18vlfxi9G1p
t6IK3zePfoRS/40i1wd+u+/QVVKnXDtAEAW70Mk20v7ro29t/iKWSlze5Sd6+Vxh
tTcISvFnaXglx1ERY+E40XUrFOy5h/yMF1vqJOOXkjLAdsnMQV8BjduwH6wTQLzK
/u7JQalMqLid+E/qFqaStH7105PQ3z4LTBIiv7SQJWu08E+N5TZaXJ/B0pCXTaAp
QjXuzbrkZVsKQN5jM9TTtG1e/BqQF8c6KXy8ostKqiljg+DioPzSknTPXOyPyg6R
3PO3A/0zvIk9rN09Z3qm4d93z6+1ABPdsHBM6eMHH+JJHubx2OjAPvg4DpHX8H75
Ol59m+N2KdvUToWf0yZ/3mNDnxq+7H3SYPe1syHKqpUfMcJYqoQf3j31yGZLmbh1
epmB7FzRzqjjcwW6f518/z1rz2ScX5QB64wa+BVxZyCkyi1mj/b0jjCVZC9swAZg
U4z1BTO0I169Xde1LuU10Bs0Gh2LU54EWiqoEKUUjiQrZeVNdbM=
=L48a
-----END PGP SIGNATURE-----