SUSE-SU-2025:03114-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2025/suse-su-202503114-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:03114-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2025:03114-1
Upstream
Related
Published
2025-09-09T10:35:14Z
Modified
2025-09-09T18:01:07.197140Z
Summary
Security update for netty, netty-tcnative
Details

This update for netty, netty-tcnative fixes the following issues:

Upgrade to upstream version 4.1.126.

Security issues fixed:

  • CVE-2025-58057: decompression codecs allocating a large number of buffers after processing specially crafted input can cause a denial of service (bsc#1249134).
  • CVE-2025-58056: incorrect parsing of chunk extensions can lead to request smuggling (bsc#1249116).
  • CVE-2025-55163: 'MadeYouReset' denial of serivce attack in the HTTP/2 protocol (bsc#1247991).

Other issues fixed:

  • Fixes from version 4.1.126

    • Fix IllegalReferenceCountException on invalid upgrade response.
    • Drop unknown frame on missing stream.
    • Don't try to handle incomplete upgrade request.
    • Update to netty-tcnative 2.0.73Final.

  • Fixes from version 4.1.124

    • Fix NPE and AssertionErrors when many tasks are scheduled and cancelled.
    • HTTP2: Http2ConnectionHandler should always use Http2ConnectionEncoder.
    • Epoll: Correctly handle UDP packets with source port of 0.
    • Fix netty-common OSGi Import-Package header.
    • MqttConnectPayload.toString() includes password.

  • Fixes from version 4.1.123

    • Fix chunk reuse bug in adaptive allocator.
    • More accurate adaptive memory usage accounting.
    • Introduce size-classes for the adaptive allocator.
    • Reduce magazine proliferation eagerness.
    • Fix concurrent ByteBuffer access issue in AdaptiveByteBuf.getBytes.
    • Fix possible buffer corruption caused by incorrect setCharSequence(...) implementation.
    • AdaptiveByteBuf: Fix AdaptiveByteBuf.maxFastWritableBytes() to take writerIndex() into account.
    • Optimize capacity bumping for adaptive ByteBufs.
    • AbstractDnsRecord: equals() and hashCode() to ignore name field's case.
    • Backport Unsafe guards.
    • Guard recomputed offset access with hasUnsafe.
    • HTTP2: Always produce a RST frame on stream exception.
    • Correct what artifacts included in netty-bom.

  • Fixes from version 4.1.122

    • DirContextUtils.addNameServer(...) should just catch Exception internally.
    • Make public API specify explicit maxAllocation to prevent OOM.
    • Fix concurrent ByteBuf write access bug in adaptive allocator.
    • Fix transport-native-kqueue Bundle-SymbolicNames.
    • Fix resolver-dns-native-macos Bundle-SymbolicNames.
    • Always correctly calculate the memory address of the ByteBuf even if sun.misc.Unsafe is not usable.
    • Upgrade lz4 dependencies as the old version did not correctly handle ByteBuffer that have an arrayOffset > 0.
    • Optimize ByteBuf.setCharSequence for adaptive allocator.
    • Kqueue: Fix registration failure when fd is reused.
    • Make JdkZlibEncoder accept Deflater.DEFAULT_COMPRESSION as level.
    • Ensure OpenSsl.availableJavaCipherSuites does not contain null values.
    • Always prefer direct buffers for pooled allocators if not explicit disabled.
    • Update to netty-tcnative 2.0.72.Final.
    • Re-enable sun.misc.Unsafe by default on Java 24+.
    • Kqueue: Delay removal from registration map to fix noisy warnings.

  • Fixes from version 4.1.121

    • Epoll.isAvailable() returns false on Ubuntu 20.04/22.04 arch amd64.
    • Fix transport-native-epoll Bundle-SymbolicNames.

  • Fixes from version 4.1.120

    • Fix flawed termination condition check in HttpPostRequestEncoder#encodeNextChunkUrlEncoded(int) for current InterfaceHttpData.
    • Exposed decoderEnforceMaxConsecutiveEmptyDataFrames and decoderEnforceMaxRstFramesPerWindow.
    • ThreadExecutorMap must restore old EventExecutor.
    • Make Recycler virtual thread friendly.
    • Disable sun.misc.Unsafe by default on Java 24+.
    • Adaptive: Correctly enforce leak detection when using AdaptiveByteBufAllocator.
    • Add suppressed exception to original cause when calling Future.sync*.
    • Add SETTINGSENABLECONNECT_PROTOCOL to the default HTTP/2 settings.
    • Correct computation for suboptimal chunk retirement probability.
    • Fix bug in method AdaptivePoolingAllocator.allocateWithoutLock(...).
    • Fix a Bytebuf leak in TcpDnsQueryDecoder.
    • SSL: Clear native error if named group is not supported.
    • WebSocketClientCompressionHandler shouldn't claim window bits support when jzlib is not available.
    • Fix the assignment error of maxQoS parameter in ConnAck Properties.

  • Fixes from version 4.1.119

    • Replace SSL assertion with explicit record length check.
    • Fix NPE when upgrade message fails to aggregate.
    • SslHandler: Fix possible NPE when executor is used for delegating.
    • Consistently add channel info in HTTP/2 logs.
    • Add QueryStringDecoder option to leave '+' alone.
    • Use initialized BouncyCastle providers when available.

  • Fix pom.xml errors that will be fatal with Maven 4

References

Affected packages

SUSE:Linux Enterprise Module for Development Tools 15 SP6 / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty-tcnative": "2.0.73-150200.3.30.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Development Tools 15 SP7 / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty-tcnative": "2.0.73-150200.3.30.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Package Hub 15 SP6 / netty

Package

Name
netty
Purl
pkg:rpm/suse/netty&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.126-150200.4.34.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty": "4.1.126-150200.4.34.1",
            "netty-javadoc": "4.1.126-150200.4.34.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Package Hub 15 SP7 / netty

Package

Name
netty
Purl
pkg:rpm/suse/netty&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.126-150200.4.34.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty": "4.1.126-150200.4.34.1",
            "netty-javadoc": "4.1.126-150200.4.34.1"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP3-LTSS / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty-tcnative": "2.0.73-150200.3.30.1"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP4-ESPOS / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty-tcnative": "2.0.73-150200.3.30.1"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP4-LTSS / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty-tcnative": "2.0.73-150200.3.30.1"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP5-ESPOS / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty-tcnative": "2.0.73-150200.3.30.1"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP5-LTSS / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty-tcnative": "2.0.73-150200.3.30.1"
        }
    ]
}

SUSE:Linux Enterprise Server 15 SP3-LTSS / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty-tcnative": "2.0.73-150200.3.30.1"
        }
    ]
}

SUSE:Linux Enterprise Server 15 SP4-LTSS / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty-tcnative": "2.0.73-150200.3.30.1"
        }
    ]
}

SUSE:Linux Enterprise Server 15 SP5-LTSS / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty-tcnative": "2.0.73-150200.3.30.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 15 SP3 / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty-tcnative": "2.0.73-150200.3.30.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 15 SP4 / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty-tcnative": "2.0.73-150200.3.30.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 15 SP5 / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty-tcnative": "2.0.73-150200.3.30.1"
        }
    ]
}

SUSE:Enterprise Storage 7.1 / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Enterprise%20Storage%207.1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty-tcnative": "2.0.73-150200.3.30.1"
        }
    ]
}

openSUSE:Leap 15.6 / netty

Package

Name
netty
Purl
pkg:rpm/opensuse/netty&distro=openSUSE%20Leap%2015.6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.126-150200.4.34.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty": "4.1.126-150200.4.34.1",
            "netty-tcnative": "2.0.73-150200.3.30.1",
            "netty-javadoc": "4.1.126-150200.4.34.1",
            "netty-tcnative-javadoc": "2.0.73-150200.3.30.1"
        }
    ]
}

openSUSE:Leap 15.6 / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/opensuse/netty-tcnative&distro=openSUSE%20Leap%2015.6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.73-150200.3.30.1

Ecosystem specific 

{
    "binaries": [
        {
            "netty": "4.1.126-150200.4.34.1",
            "netty-tcnative": "2.0.73-150200.3.30.1",
            "netty-javadoc": "4.1.126-150200.4.34.1",
            "netty-tcnative-javadoc": "2.0.73-150200.3.30.1"
        }
    ]
}