{"affected":[{"ecosystem_specific":{"binaries":[{"netty-tcnative":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Development Tools 15 SP6","name":"netty-tcnative","purl":"pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty-tcnative":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Development Tools 15 SP7","name":"netty-tcnative","purl":"pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty":"4.1.126-150200.4.34.1","netty-javadoc":"4.1.126-150200.4.34.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Package Hub 15 SP6","name":"netty","purl":"pkg:rpm/suse/netty&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.1.126-150200.4.34.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty":"4.1.126-150200.4.34.1","netty-javadoc":"4.1.126-150200.4.34.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Package Hub 15 SP7","name":"netty","purl":"pkg:rpm/suse/netty&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.1.126-150200.4.34.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty-tcnative":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP3-LTSS","name":"netty-tcnative","purl":"pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty-tcnative":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP4-ESPOS","name":"netty-tcnative","purl":"pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty-tcnative":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP4-LTSS","name":"netty-tcnative","purl":"pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty-tcnative":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP5-ESPOS","name":"netty-tcnative","purl":"pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty-tcnative":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP5-LTSS","name":"netty-tcnative","purl":"pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty-tcnative":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 15 SP3-LTSS","name":"netty-tcnative","purl":"pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty-tcnative":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 15 SP4-LTSS","name":"netty-tcnative","purl":"pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty-tcnative":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 15 SP5-LTSS","name":"netty-tcnative","purl":"pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty-tcnative":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 15 SP3","name":"netty-tcnative","purl":"pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty-tcnative":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 15 SP4","name":"netty-tcnative","purl":"pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty-tcnative":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 15 SP5","name":"netty-tcnative","purl":"pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty-tcnative":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"SUSE:Enterprise Storage 7.1","name":"netty-tcnative","purl":"pkg:rpm/suse/netty-tcnative&distro=SUSE%20Enterprise%20Storage%207.1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty":"4.1.126-150200.4.34.1","netty-javadoc":"4.1.126-150200.4.34.1","netty-tcnative":"2.0.73-150200.3.30.1","netty-tcnative-javadoc":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"netty","purl":"pkg:rpm/opensuse/netty&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.1.126-150200.4.34.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty":"4.1.126-150200.4.34.1","netty-javadoc":"4.1.126-150200.4.34.1","netty-tcnative":"2.0.73-150200.3.30.1","netty-tcnative-javadoc":"2.0.73-150200.3.30.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"netty-tcnative","purl":"pkg:rpm/opensuse/netty-tcnative&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.73-150200.3.30.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for netty, netty-tcnative fixes the following issues:\n\nUpgrade to upstream version 4.1.126.\n    \nSecurity issues fixed:\n    \n- CVE-2025-58057: decompression codecs allocating a large number of buffers after processing specially crafted input can\n  cause a denial of service (bsc#1249134).\n- CVE-2025-58056: incorrect parsing of chunk extensions can lead to request smuggling (bsc#1249116).\n- CVE-2025-55163: 'MadeYouReset' denial of serivce attack in the HTTP/2 protocol (bsc#1247991).\n    \nOther issues fixed:\n\n- Fixes from version 4.1.126\n  * Fix IllegalReferenceCountException on invalid upgrade response.\n  * Drop unknown frame on missing stream.\n  * Don't try to handle incomplete upgrade request.\n  * Update to netty-tcnative 2.0.73Final.\n    \n- Fixes from version 4.1.124\n  * Fix NPE and AssertionErrors when many tasks are scheduled and cancelled.\n  * HTTP2: Http2ConnectionHandler should always use Http2ConnectionEncoder.\n  * Epoll: Correctly handle UDP packets with source port of 0.\n  * Fix netty-common OSGi Import-Package header.\n  * MqttConnectPayload.toString() includes password.\n\n- Fixes from version 4.1.123\n  * Fix chunk reuse bug in adaptive allocator.\n  * More accurate adaptive memory usage accounting.\n  * Introduce size-classes for the adaptive allocator.\n  * Reduce magazine proliferation eagerness.\n  * Fix concurrent ByteBuffer access issue in AdaptiveByteBuf.getBytes.\n  * Fix possible buffer corruption caused by incorrect setCharSequence(...) implementation.\n  * AdaptiveByteBuf: Fix AdaptiveByteBuf.maxFastWritableBytes() to take writerIndex() into account.\n  * Optimize capacity bumping for adaptive ByteBufs.\n  * AbstractDnsRecord: equals() and hashCode() to ignore name field's case.\n  * Backport Unsafe guards.\n  * Guard recomputed offset access with hasUnsafe.\n  * HTTP2: Always produce a RST frame on stream exception.\n  * Correct what artifacts included in netty-bom.\n\n- Fixes from version 4.1.122\n  * DirContextUtils.addNameServer(...) should just catch Exception internally.\n  * Make public API specify explicit maxAllocation to prevent OOM.\n  * Fix concurrent ByteBuf write access bug in adaptive allocator.\n  * Fix transport-native-kqueue Bundle-SymbolicNames.\n  * Fix resolver-dns-native-macos Bundle-SymbolicNames.\n  * Always correctly calculate the memory address of the ByteBuf even if sun.misc.Unsafe is not usable.\n  * Upgrade lz4 dependencies as the old version did not correctly handle ByteBuffer that have an arrayOffset > 0.\n  * Optimize ByteBuf.setCharSequence for adaptive allocator.\n  * Kqueue: Fix registration failure when fd is reused.\n  * Make JdkZlibEncoder accept Deflater.DEFAULT_COMPRESSION as level.\n  * Ensure OpenSsl.availableJavaCipherSuites does not contain null values.\n  * Always prefer direct buffers for pooled allocators if not explicit disabled.\n  * Update to netty-tcnative 2.0.72.Final.\n  * Re-enable sun.misc.Unsafe by default on Java 24+.\n  * Kqueue: Delay removal from registration map to fix noisy warnings.\n\n- Fixes from version 4.1.121\n  * Epoll.isAvailable() returns false on Ubuntu 20.04/22.04 arch amd64.\n  * Fix transport-native-epoll Bundle-SymbolicNames.\n\n- Fixes from version 4.1.120\n  * Fix flawed termination condition check in HttpPostRequestEncoder#encodeNextChunkUrlEncoded(int) for current\n    InterfaceHttpData.\n  * Exposed decoderEnforceMaxConsecutiveEmptyDataFrames and decoderEnforceMaxRstFramesPerWindow.\n  * ThreadExecutorMap must restore old EventExecutor.\n  * Make Recycler virtual thread friendly.\n  * Disable sun.misc.Unsafe by default on Java 24+.\n  * Adaptive: Correctly enforce leak detection when using AdaptiveByteBufAllocator.\n  * Add suppressed exception to original cause when calling Future.sync*.\n  * Add SETTINGS_ENABLE_CONNECT_PROTOCOL to the default HTTP/2 settings.\n  * Correct computation for suboptimal chunk retirement probability.\n  * Fix bug in method AdaptivePoolingAllocator.allocateWithoutLock(...).\n  * Fix a Bytebuf leak in TcpDnsQueryDecoder.\n  * SSL: Clear native error if named group is not supported.\n  * WebSocketClientCompressionHandler shouldn't claim window bits support when jzlib is not available.\n  * Fix the assignment error of maxQoS parameter in ConnAck Properties.\n\n- Fixes from version 4.1.119\n  * Replace SSL assertion with explicit record length check.\n  * Fix NPE when upgrade message fails to aggregate.\n  * SslHandler: Fix possible NPE when executor is used for delegating.\n  * Consistently add channel info in HTTP/2 logs.\n  * Add QueryStringDecoder option to leave '+' alone.\n  * Use initialized BouncyCastle providers when available.\n\n- Fix pom.xml errors that will be fatal with Maven 4\n","id":"SUSE-SU-2025:03114-1","modified":"2025-09-09T10:35:14Z","published":"2025-09-09T10:35:14Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202503114-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1247991"},{"type":"REPORT","url":"https://bugzilla.suse.com/1249116"},{"type":"REPORT","url":"https://bugzilla.suse.com/1249134"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-55163"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58056"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58057"}],"related":["CVE-2025-55163","CVE-2025-58056","CVE-2025-58057"],"summary":"Security update for netty, netty-tcnative","upstream":["CVE-2025-55163","CVE-2025-58056","CVE-2025-58057"]}