-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 09 Feb 2026 11:26:12 +0100
Source: netty
Architecture: source
Version: 1:4.1.48-10+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1111105 1113994 1118282 1123606
Changes:
 netty (1:4.1.48-10+deb13u1) trixie-security; urgency=high
 .
   * Team upload
   * Fix CVE-2025-55163 (Closes: #1111105)
     Netty is vulnerable to MadeYouReset DDoS.
     This is a logical vulnerability in the HTTP/2 protocol,
     that uses malformed HTTP/2 control frames in order to break
     the max concurrent streams limit, which results in resource
     exhaustion and distributed denial of service.
   * Fix CVE-2025-58056 (Closes: #1113994)
     when supplied with specially crafted input, BrotliDecoder and
     certain other decompression decoders will allocate a large
     number of reachable byte buffers, which can lead to
     denial of service. BrotliDecoder.decompress has
     no limit in how often it calls pull, decompressing
     data 64K bytes at a time. The buffers are saved in
     the output list, and remain reachable until OOM is hit.
   * Fix CVE-2025-58057:
     When supplied with specially crafted input, BrotliDecoder
     and certain other decompression decoders will allocate
     a large number of reachable byte buffers, which can lead
     to denial of service. BrotliDecoder.decompress has no limit
     in how often it calls pull, decompressing data 64K bytes at
     a time. The buffers are saved in the output list, and remain
     reachable until OOM is hit.
     (Closes: #1113994)
   * Fix CVE-2025-59419 (Closes: #1118282)
     SMTP Command Injection Vulnerability Allowing Email Forgery
     An SMTP Command Injection (CRLF Injection) vulnerability
     in Netty's SMTP codec allows a remote attacker who can control
     SMTP command parameters (e.g., an email recipient)
     to forge arbitrary emails from the trusted server.
     This bypasses standard email authentication and can
     be used to impersonate executives and forge high-stakes
     corporate communications.
   * Fix CVE-2025-67735 (Closes: #1123606)
     `io.netty.handler.codec.http.HttpRequestEncoder`
     has a CRLF injection with the request URI when constructing
     a request. This leads to request smuggling when
     `HttpRequestEncoder` is used without proper sanitization
     of the URI. Any application / framework using `HttpRequestEncoder`
     can be subject to be abused to perform request smuggling using
     CRLF injection
Checksums-Sha1:
 2d598f6ddf79b58ff4b176f5ae9f7d77854c7ddc 2551 netty_4.1.48-10+deb13u1.dsc
 022ad0c0c76dd4ba14b1e44d11cf0b99f0feeb2b 1665244 netty_4.1.48.orig.tar.xz
 182fb5f4a0976f6b455b46e89dc0bab7ad2405e7 61456 netty_4.1.48-10+deb13u1.debian.tar.xz
 ab25080e25f1678e479631bbca67468d1046b1e2 14669 netty_4.1.48-10+deb13u1_source.buildinfo
Checksums-Sha256:
 b6dc5d7351acaf1b6d45123aa775317206cb786df4365625789a87ac1a4d2d1a 2551 netty_4.1.48-10+deb13u1.dsc
 e5351d821f461f64af58e89f260ad8943b0ab75f26c1a845300a91f22a711600 1665244 netty_4.1.48.orig.tar.xz
 af54ab17d8c2a5c1dcd65bfa9fddbdeb929a187efbc35b89de14ac68673cd0f4 61456 netty_4.1.48-10+deb13u1.debian.tar.xz
 90ac80fd9c7eb14ffed43c99ce900194ad936afcd31296dd41a30a04adb04a21 14669 netty_4.1.48-10+deb13u1_source.buildinfo
Files:
 ecf19318a52154180fed06ce5dca8c1f 2551 java optional netty_4.1.48-10+deb13u1.dsc
 ebc25581b3e2b6e1bb47200ba260a636 1665244 java optional netty_4.1.48.orig.tar.xz
 25add6a023a44d9d00007e7ff51fca59 61456 java optional netty_4.1.48-10+deb13u1.debian.tar.xz
 bdfaa4e9c26885fd6fabe13f28de81cc 14669 java optional netty_4.1.48-10+deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJpoYPyCRAAOhotqkEIX0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmdn4mtN2KISSSokkbFz0+Y6NXfAYsIvP0dVeMOnIfH8
RRYhBF0Bh7lAokW617D1agA6Gi2qQQhfAADIoA//RHPWGIG2Wd00BPbBfHTVhWKu
szSjdVMPe/ADjqTXw7uSMI8mcPzMzCXslvArPeuwPc9YWR9BtVeTCSlAR4y5NrCY
bBq6webAzfuGhX7JvzKFe9sFXQYdnL3MTR6jU9bO4eRLcgQmg0y4PBTTvPePwMC4
ti7ezfeVuvyit18s0utzBEMuk/F4mHE9gJSRQ+Le8VxoZU8kBC04TRdVbaatIFdk
3nS42jxVXaUB6cIT7CqMay3DvWq9+GvjqFA47aGlYe8k8Y3gb85Xv5xJok/aR845
X1nYr3ThOlINs1pp13c0t+pfH+OrX0upEYVjuuvCNBtqULukaIEl0Lx8xEC5kOI9
hnE1OD6kBSYsWLBbappHxbYjLd2QHU4fTKzguhKd+1x4DDFfYRHhbg3i5lQUnC1o
MU9kKYlJNGMgbllV9vNimgU5nUjdoMjqO1jCHQi+pcbkUPvKUcNqeAw3CAv3JoK8
Qu/XmxMjjJVn6DRclfCejnJ3G4Bmf91y+WT9ZvaMm3675ck3B8sYpsXsEnGoayto
xkkDJ8nWkHKwXglEgkHC4A7VWVRS+QsED099ViBRWru4AzGXYvXoshmUBjke2Xwe
kmSiQ+Mxj3UmBGY708HtmeLCQ8KK9cjayyf91hZN0IDlSUNujWuhM2dPHi4RG7Bd
XQPe348/RjQmvGt9ZDU=
=rXEF
-----END PGP SIGNATURE-----