Описание
Security update for netty, netty-tcnative
This update for netty, netty-tcnative fixes the following issues:
Upgrade to upstream version 4.1.126.
Security issues fixed:
- CVE-2025-58057: decompression codecs allocating a large number of buffers after processing specially crafted input can cause a denial of service (bsc#1249134).
- CVE-2025-58056: incorrect parsing of chunk extensions can lead to request smuggling (bsc#1249116).
- CVE-2025-55163: 'MadeYouReset' denial of serivce attack in the HTTP/2 protocol (bsc#1247991).
Other issues fixed:
-
Fixes from version 4.1.126
- Fix IllegalReferenceCountException on invalid upgrade response.
- Drop unknown frame on missing stream.
- Don't try to handle incomplete upgrade request.
- Update to netty-tcnative 2.0.73Final.
-
Fixes from version 4.1.124
- Fix NPE and AssertionErrors when many tasks are scheduled and cancelled.
- HTTP2: Http2ConnectionHandler should always use Http2ConnectionEncoder.
- Epoll: Correctly handle UDP packets with source port of 0.
- Fix netty-common OSGi Import-Package header.
- MqttConnectPayload.toString() includes password.
-
Fixes from version 4.1.123
- Fix chunk reuse bug in adaptive allocator.
- More accurate adaptive memory usage accounting.
- Introduce size-classes for the adaptive allocator.
- Reduce magazine proliferation eagerness.
- Fix concurrent ByteBuffer access issue in AdaptiveByteBuf.getBytes.
- Fix possible buffer corruption caused by incorrect setCharSequence(...) implementation.
- AdaptiveByteBuf: Fix AdaptiveByteBuf.maxFastWritableBytes() to take writerIndex() into account.
- Optimize capacity bumping for adaptive ByteBufs.
- AbstractDnsRecord: equals() and hashCode() to ignore name field's case.
- Backport Unsafe guards.
- Guard recomputed offset access with hasUnsafe.
- HTTP2: Always produce a RST frame on stream exception.
- Correct what artifacts included in netty-bom.
-
Fixes from version 4.1.122
- DirContextUtils.addNameServer(...) should just catch Exception internally.
- Make public API specify explicit maxAllocation to prevent OOM.
- Fix concurrent ByteBuf write access bug in adaptive allocator.
- Fix transport-native-kqueue Bundle-SymbolicNames.
- Fix resolver-dns-native-macos Bundle-SymbolicNames.
- Always correctly calculate the memory address of the ByteBuf even if sun.misc.Unsafe is not usable.
- Upgrade lz4 dependencies as the old version did not correctly handle ByteBuffer that have an arrayOffset > 0.
- Optimize ByteBuf.setCharSequence for adaptive allocator.
- Kqueue: Fix registration failure when fd is reused.
- Make JdkZlibEncoder accept Deflater.DEFAULT_COMPRESSION as level.
- Ensure OpenSsl.availableJavaCipherSuites does not contain null values.
- Always prefer direct buffers for pooled allocators if not explicit disabled.
- Update to netty-tcnative 2.0.72.Final.
- Re-enable sun.misc.Unsafe by default on Java 24+.
- Kqueue: Delay removal from registration map to fix noisy warnings.
-
Fixes from version 4.1.121
- Epoll.isAvailable() returns false on Ubuntu 20.04/22.04 arch amd64.
- Fix transport-native-epoll Bundle-SymbolicNames.
-
Fixes from version 4.1.120
- Fix flawed termination condition check in HttpPostRequestEncoder#encodeNextChunkUrlEncoded(int) for current InterfaceHttpData.
- Exposed decoderEnforceMaxConsecutiveEmptyDataFrames and decoderEnforceMaxRstFramesPerWindow.
- ThreadExecutorMap must restore old EventExecutor.
- Make Recycler virtual thread friendly.
- Disable sun.misc.Unsafe by default on Java 24+.
- Adaptive: Correctly enforce leak detection when using AdaptiveByteBufAllocator.
- Add suppressed exception to original cause when calling Future.sync*.
- Add SETTINGS_ENABLE_CONNECT_PROTOCOL to the default HTTP/2 settings.
- Correct computation for suboptimal chunk retirement probability.
- Fix bug in method AdaptivePoolingAllocator.allocateWithoutLock(...).
- Fix a Bytebuf leak in TcpDnsQueryDecoder.
- SSL: Clear native error if named group is not supported.
- WebSocketClientCompressionHandler shouldn't claim window bits support when jzlib is not available.
- Fix the assignment error of maxQoS parameter in ConnAck Properties.
-
Fixes from version 4.1.119
- Replace SSL assertion with explicit record length check.
- Fix NPE when upgrade message fails to aggregate.
- SslHandler: Fix possible NPE when executor is used for delegating.
- Consistently add channel info in HTTP/2 logs.
- Add QueryStringDecoder option to leave '+' alone.
- Use initialized BouncyCastle providers when available.
-
Fix pom.xml errors that will be fatal with Maven 4
Список пакетов
SUSE Enterprise Storage 7.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS
SUSE Linux Enterprise Module for Development Tools 15 SP6
SUSE Linux Enterprise Module for Development Tools 15 SP7
SUSE Linux Enterprise Module for Package Hub 15 SP6
SUSE Linux Enterprise Module for Package Hub 15 SP7
SUSE Linux Enterprise Server 15 SP3-LTSS
SUSE Linux Enterprise Server 15 SP4-LTSS
SUSE Linux Enterprise Server 15 SP5-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP3
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP5
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:03114-1
- E-Mail link for SUSE-SU-2025:03114-1
- SUSE Security Ratings
- SUSE Bug 1247991
- SUSE Bug 1249116
- SUSE Bug 1249134
- SUSE CVE CVE-2025-55163 page
- SUSE CVE CVE-2025-58056 page
- SUSE CVE CVE-2025-58057 page
Описание
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.
Затронутые продукты
Ссылки
- CVE-2025-55163
- SUSE Bug 1243888
- SUSE Bug 1244252
- SUSE Bug 1247991
Описание
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
Затронутые продукты
Ссылки
- CVE-2025-58056
- SUSE Bug 1249116
Описание
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Затронутые продукты
Ссылки
- CVE-2025-58057
- SUSE Bug 1249134