Overview

File _patchinfo of Package patchinfo.40322

<patchinfo incident="40322">
  <issue tracker="cve" id="2025-55163"/>
  <issue tracker="cve" id="2025-58056"/>
  <issue tracker="cve" id="2025-58057"/>
  <issue tracker="bnc" id="1247991">VUL-0: CVE-2025-55163: netty: HTTP/2 protocol (including DNS over HTTPS) is vulnerable to "MadeYouReset" DoS attack</issue>
  <issue tracker="bnc" id="1249134">VUL-0: CVE-2025-58057: netty: Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack</issue>
  <issue tracker="bnc" id="1249116">VUL-0: CVE-2025-58056: netty,netty3: incorrectly accepts standalone newline characters (LF)</issue>
  <packager>fstrba</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for netty, netty-tcnative</summary>
  <description>This update for netty, netty-tcnative fixes the following issues:

Upgrade to upstream version 4.1.126.
    
Security issues fixed:
    
- CVE-2025-58057: decompression codecs allocating a large number of buffers after processing specially crafted input can
  cause a denial of service (bsc#1249134).
- CVE-2025-58056: incorrect parsing of chunk extensions can lead to request smuggling (bsc#1249116).
- CVE-2025-55163: "MadeYouReset" denial of serivce attack in the HTTP/2 protocol (bsc#1247991).
    
Other issues fixed:

- Fixes from version 4.1.126
  * Fix IllegalReferenceCountException on invalid upgrade response.
  * Drop unknown frame on missing stream.
  * Don't try to handle incomplete upgrade request.
  * Update to netty-tcnative 2.0.73Final.
    
- Fixes from version 4.1.124
  * Fix NPE and AssertionErrors when many tasks are scheduled and cancelled.
  * HTTP2: Http2ConnectionHandler should always use Http2ConnectionEncoder.
  * Epoll: Correctly handle UDP packets with source port of 0.
  * Fix netty-common OSGi Import-Package header.
  * MqttConnectPayload.toString() includes password.

- Fixes from version 4.1.123
  * Fix chunk reuse bug in adaptive allocator.
  * More accurate adaptive memory usage accounting.
  * Introduce size-classes for the adaptive allocator.
  * Reduce magazine proliferation eagerness.
  * Fix concurrent ByteBuffer access issue in AdaptiveByteBuf.getBytes.
  * Fix possible buffer corruption caused by incorrect setCharSequence(...) implementation.
  * AdaptiveByteBuf: Fix AdaptiveByteBuf.maxFastWritableBytes() to take writerIndex() into account.
  * Optimize capacity bumping for adaptive ByteBufs.
  * AbstractDnsRecord: equals() and hashCode() to ignore name field's case.
  * Backport Unsafe guards.
  * Guard recomputed offset access with hasUnsafe.
  * HTTP2: Always produce a RST frame on stream exception.
  * Correct what artifacts included in netty-bom.

- Fixes from version 4.1.122
  * DirContextUtils.addNameServer(...) should just catch Exception internally.
  * Make public API specify explicit maxAllocation to prevent OOM.
  * Fix concurrent ByteBuf write access bug in adaptive allocator.
  * Fix transport-native-kqueue Bundle-SymbolicNames.
  * Fix resolver-dns-native-macos Bundle-SymbolicNames.
  * Always correctly calculate the memory address of the ByteBuf even if sun.misc.Unsafe is not usable.
  * Upgrade lz4 dependencies as the old version did not correctly handle ByteBuffer that have an arrayOffset &gt; 0.
  * Optimize ByteBuf.setCharSequence for adaptive allocator.
  * Kqueue: Fix registration failure when fd is reused.
  * Make JdkZlibEncoder accept Deflater.DEFAULT_COMPRESSION as level.
  * Ensure OpenSsl.availableJavaCipherSuites does not contain null values.
  * Always prefer direct buffers for pooled allocators if not explicit disabled.
  * Update to netty-tcnative 2.0.72.Final.
  * Re-enable sun.misc.Unsafe by default on Java 24+.
  * Kqueue: Delay removal from registration map to fix noisy warnings.

- Fixes from version 4.1.121
  * Epoll.isAvailable() returns false on Ubuntu 20.04/22.04 arch amd64.
  * Fix transport-native-epoll Bundle-SymbolicNames.

- Fixes from version 4.1.120
  * Fix flawed termination condition check in HttpPostRequestEncoder#encodeNextChunkUrlEncoded(int) for current
    InterfaceHttpData.
  * Exposed decoderEnforceMaxConsecutiveEmptyDataFrames and decoderEnforceMaxRstFramesPerWindow.
  * ThreadExecutorMap must restore old EventExecutor.
  * Make Recycler virtual thread friendly.
  * Disable sun.misc.Unsafe by default on Java 24+.
  * Adaptive: Correctly enforce leak detection when using AdaptiveByteBufAllocator.
  * Add suppressed exception to original cause when calling Future.sync*.
  * Add SETTINGS_ENABLE_CONNECT_PROTOCOL to the default HTTP/2 settings.
  * Correct computation for suboptimal chunk retirement probability.
  * Fix bug in method AdaptivePoolingAllocator.allocateWithoutLock(...).
  * Fix a Bytebuf leak in TcpDnsQueryDecoder.
  * SSL: Clear native error if named group is not supported.
  * WebSocketClientCompressionHandler shouldn't claim window bits support when jzlib is not available.
  * Fix the assignment error of maxQoS parameter in ConnAck Properties.

- Fixes from version 4.1.119
  * Replace SSL assertion with explicit record length check.
  * Fix NPE when upgrade message fails to aggregate.
  * SslHandler: Fix possible NPE when executor is used for delegating.
  * Consistently add channel info in HTTP/2 logs.
  * Add QueryStringDecoder option to leave '+' alone.
  * Use initialized BouncyCastle providers when available.

- Fix pom.xml errors that will be fatal with Maven 4
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places