[SECURITY] [DLA 4519-1] netty security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4519-1] netty security update
From: rouca@debian.org
Date: Tue, 31 Mar 2026 22:23:49 +0200
Message-id: <[🔎] f4e82a54458f6283bcd2506339ab317c@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4519-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
March 31, 2026                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : netty
Version        : 1:4.1.48-4+deb11u3
CVE ID         : CVE-2024-29025 CVE-2025-55163 CVE-2025-58056 CVE-2025-58057 
                 CVE-2025-59419 CVE-2025-67735
Debian Bug     : 1068110 1111105 1113994 1118282 1123606


Several security vulnerabilities have been discovered in Netty, a Java NIO
client/server socket framework. It was found that Netty was vulnerable to the
MadeYouReset DDoS attack, a logical vulnerability in the HTTP/2 protocol
itself and programming errors which enabled request smuggling attacks.
Additionally Netty contained an SMTP command injection vulnerability due to
insufficient input validation potentially allowing remote attackers to forge
arbitrary emails from trusted servers.

The security update also contains the fix for CVE-2024-29025.
Julien Viet discovered that Netty was vulnerable to allocation of resources
without limits or throttling due to the accumulation of data in the
HttpPostRequestDecoder. This would allow an attacker to cause a denial of
service.

For Debian 11 bullseye, these problems have been fixed in version
1:4.1.48-4+deb11u3.

We recommend that you upgrade your netty packages.

For the detailed security status of netty please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/netty

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmnMLVUACgkQADoaLapB
CF90ShAAq0OXDUPmL8f7YTFKR4RH1tmINU3r682oIJy4SzK+9rBmVowVBBRSQwQa
wrMrOFReUUoFIpn2yABPgU5+C2i2h1YBDgcQvPVgVMZl7JMdYulpFKs6ToMxCQLa
Y2MYtJdne773T3SOV4LxTcHI3Hap14FaGbXVlccZneqoC00jduQXEcfHqzAkamx8
FdDCQ3owlcy6rbRwqoXhvzN38+s8EwbM+0fjZLnTVvgWEJqFNmGq+Wj+vtwYRLLx
v2jJa447SLpPayEDfCo92p1Gw9AzCfLwoz2z1OVATJdwt+IMwEF1Y2cZPIrWqjvY
VplXGT8LPbDjDw1yU7avuYpCe3UcANp1LQzDstTJnnLr+iaVZdxCKNM4r0HbJjT7
taO3+uHLpLWbltf8oCKLYHxC34TRu3RsZ8uKrNAfMTLlWVdxkNZVrmvdfH2Y9HEQ
Q1oFxzIt1m0EAKrFqDjN5fbeAejVj1gbN3zE2UlASpW15+iXjM3X6xod/0rsa7Mk
vZw9NaMu/ZixQoHZl+6qRvfzCUzQrp6fOROmlIEtsMUXiOZS6JztM4ecxO69+wjv
cJSdZ40L75pkk7UtzS2ruou3JvZEe+PcO94ZZOIaA9YEvIalP3SaA+Vr6LgqUXdg
c3D936B2Bxb2NsRXE4DKhOZiA2BNssFnKfeTRRwEBNPt587dduM=
=BYPK
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4518-1] phpseclib security update
Previous by thread: [SECURITY] [DLA 4518-1] phpseclib security update
Index(es):
- Date
- Thread