netty-4.1.126-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16582 Final 1 1 2025-09-04T00:00:00Z current 2025-09-04T00:00:00Z 2025-09-04T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z netty-4.1.126-1.1 on GA media These are all security issues fixed in the netty-4.1.126-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16582 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-58056/ SUSE CVE CVE-2025-58056 page https://www.suse.com/security/cve/CVE-2025-58057/ SUSE CVE CVE-2025-58057 page openSUSE Tumbleweed netty-4.1.126-1.1 netty-bom-4.1.126-1.1 netty-javadoc-4.1.126-1.1 netty-parent-4.1.126-1.1 netty-4.1.126-1.1 as a component of openSUSE Tumbleweed netty-bom-4.1.126-1.1 as a component of openSUSE Tumbleweed netty-javadoc-4.1.126-1.1 as a component of openSUSE Tumbleweed netty-parent-4.1.126-1.1 as a component of openSUSE Tumbleweed Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final. CVE-2025-58056 openSUSE Tumbleweed:netty-4.1.126-1.1 openSUSE Tumbleweed:netty-bom-4.1.126-1.1 openSUSE Tumbleweed:netty-javadoc-4.1.126-1.1 openSUSE Tumbleweed:netty-parent-4.1.126-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58056.html CVE-2025-58056 https://bugzilla.suse.com/1249116 SUSE Bug 1249116 Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression. CVE-2025-58057 openSUSE Tumbleweed:netty-4.1.126-1.1 openSUSE Tumbleweed:netty-bom-4.1.126-1.1 openSUSE Tumbleweed:netty-javadoc-4.1.126-1.1 openSUSE Tumbleweed:netty-parent-4.1.126-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58057.html CVE-2025-58057 https://bugzilla.suse.com/1249134 SUSE Bug 1249134