-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 09 Feb 2026 11:26:12 +0100 Source: netty Binary: libnetty-java Architecture: all Version: 1:4.1.48-10+deb13u1 Distribution: trixie-security Urgency: high Maintainer: all / amd64 / i386 Build Daemon (x86-conova-01) Changed-By: Bastien Roucariès Description: libnetty-java - Java NIO client/server socket framework Closes: 1111105 1113994 1118282 1123606 Changes: netty (1:4.1.48-10+deb13u1) trixie-security; urgency=high . * Team upload * Fix CVE-2025-55163 (Closes: #1111105) Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit, which results in resource exhaustion and distributed denial of service. * Fix CVE-2025-58056 (Closes: #1113994) when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. * Fix CVE-2025-58057: When supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. (Closes: #1113994) * Fix CVE-2025-59419 (Closes: #1118282) SMTP Command Injection Vulnerability Allowing Email Forgery An SMTP Command Injection (CRLF Injection) vulnerability in Netty's SMTP codec allows a remote attacker who can control SMTP command parameters (e.g., an email recipient) to forge arbitrary emails from the trusted server. This bypasses standard email authentication and can be used to impersonate executives and forge high-stakes corporate communications. * Fix CVE-2025-67735 (Closes: #1123606) `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection Checksums-Sha1: b61ea6f4df5c8fbb7969cc47aa0ba2f5e7955ef8 3680312 libnetty-java_4.1.48-10+deb13u1_all.deb 902db2dc40fb22c52dbb1f488e7b0ca81c6683c9 15978 netty_4.1.48-10+deb13u1_all-buildd.buildinfo Checksums-Sha256: f20d120cab9828f3598d9cca46203fecfbec083a088b3d843218d262f1cba84e 3680312 libnetty-java_4.1.48-10+deb13u1_all.deb ec3afac78a7be5e96d3c46b836f35950a348273ce125e47517b8654d5950c223 15978 netty_4.1.48-10+deb13u1_all-buildd.buildinfo Files: a2e47212e87c478c8520f656e8842c06 3680312 java optional libnetty-java_4.1.48-10+deb13u1_all.deb 6b3e4a2908053275a57479a1c36da712 15978 java optional netty_4.1.48-10+deb13u1_all-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEaPzFtKPtF0JrKPV5iZlfn74WV6kFAmmhiXEACgkQiZlfn74W V6l+yQ/+Of2pnix1ihrddZgBglUo/f/2LF7dabB6gt8h4DvEm5Pwg9j595TWUeTO lg4HLtZ+OV0MpG3ShCUs9Z0nbwpLAZl32ExexyNWUoNjar5V8+uw8s3YOxT66MjV Pi0iGvjGcvcV6cJZD2hm9Fl9jLbOB56nSB2fcGj3v6NsSa4MW8r5mWwqB1vc4j/O My7HBBi5piSHjAzQsmC/mGE4jzyLLjPxqNz7esJ6B6wZN+2PqKqIxkC/b0buW4ZO x1PWtIuLaeQX5ZRlJwwc0jJlB7r3rbR1tQqwHR+RJPhCcKA6qxrgE7eodbUNedQX aDLrdqQXpDiRlixm3AHwv7WdtZKVP8qbXQuDk7BBcKulG+0k0Yo4QKsFf7RSXyD2 uJ5rUxSRD5ZeaU2CLBJ7TSJ+MCL1TUl5emrs9G/ItBgFiY/kMGesfj471f9hJDpj zuXCDqkNkJ3R3I1tuPM2GAF42ZAc2m03LCtCtq7d14Zy6byEBeV/Zxe9qauV/uVb 6qJDsLP/y8qWVsOIlMaGrNZmABmQ3DU/JJvofdfPb3qbbsaHa2aHtj5BI61yRQ5W vJ4zBft8c0ecaohvzZ5K58iC2b4PI9k0unjtJ8jVYAZvb3Cj/yQbb0bTu32yZV2r 1IqlMMqLeasv56xJetXMv5pK/daV+p05nDzxXpw19tpwLb6/F3I= =J/t6 -----END PGP SIGNATURE-----