File _patchinfo of Package patchinfo.42016

<patchinfo incident="42016">
  <issue tracker="bnc" id="1255048">VUL-0: CVE-2025-67735: netty: CRLF injection constructing a request can lead to request smuggling</issue>
  <issue tracker="cve" id="2025-67735"/>
  <packager>fstrba</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for netty</summary>
  <description>This update for netty fixes the following issues:

Update to upstream version 4.1.130.

Security issues fixed:

- CVE-2025-67735: lack of URI sanitization in `HttpRequestEncoder` allows for CRLF injection through a request URI and
  can lead to request smuggling (bsc#1255048).

Other updates and bugfixes:

- Version 4.1.130:
  * Update `lz4-java` version to 1.10.1
  * Close `Channel` and fail bootstrap when setting a `ChannelOption` causes an error
  * Discard the following `HttpContent` for preflight request
  * Fix race condition in `NonStickyEventExecutorGroup` causing incorrect `inEventLoop()` results
  * Fix Zstd compression for large data
  * Fix `ZstdEncoder` not producing data when source is smaller than block
  * Make big endian ASCII hashcode consistent with little endian
  * Fix reentrancy bug in `ByteToMessageDecoder`
  * Add 32k and 64k size classes to adaptive allocator
  * Re-enable reflective field accesses in native images
  * Correct HTTP/2 padding length check
  * Fix HTTP startline validation
  * Fix `MpscIntQueue` bug

- Build against the `org.jboss:jdk-misc` artifact that is implementing the `sun.misc` classes removed in Java 25
</description>
</patchinfo>