Security update for netty, netty-tcnative SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0590-1 Final 1 1 2025-02-19T10:34:01Z current 2025-02-19T10:34:01Z 2025-02-19T10:34:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for netty, netty-tcnative This update for netty, netty-tcnative fixes the following issues: - CVE-2025-24970: incorrect validation of packets by SslHandler can lead to a native crash. (bsc#1237037) - CVE-2025-25193: unsafe reading of environment files can lead to an application crash. (bsc#1237038) Update to netty version 4.1.118 and netty-tcnative version 2.0.70 Final. Other fixes: - Fix recycling in CodecOutputList. - StreamBufferingEncoder: do not send header frame with priority by default. - Notify event loop termination future of unexpected exceptions. - Fix AccessControlException in GlobalEventExecutor. - AdaptivePoolingAllocator: round chunk sizes up and reduce chunk release frequency. - Support BouncyCastle FIPS for reading PEM files. - Dns: correctly encode DnsPtrRecord. - Provide Brotli settings without com.aayushatharva.brotli4j dependency. - Make DefaultResourceLeak more resilient against OOM. - OpenSslSession: add support to defensively check for peer certs. - SslHandler: ensure buffers are never leaked when wrap(...) produces SSLException. - Correcly handle comments appended to nameserver declarations. - PcapWriteHandler: apply fixes so that the handler can append to an existing PCAP file when writing the global header. - PcapWriteHandler: allow output of PCAP files larger than 2GB. - Fix bugs in BoundedInputStream. - Fix HTTP header validation bug. - AdaptivePoolingAllocator: fix possible race condition in method offerToQueue(...). - AdaptivePoolingAllocator: make sure the sentinel object Magazine.MAGAZINE_FREED not be replaced. - Only try to use Zstd and Brotli if the native libs can be loaded. - Bump BlockHound version to 1.0.10.RELEASE. - Add details to TooLongFrameException message. - AdaptivePoolingAllocator: correctly reuse chunks. - AdaptivePoolingAllocator: don't fail when we run on a host with 1 core. - AdaptivePoolingAllocator: correctly re-use central queue chunks and avoid OOM issue. - Fix several memory management (leaks and missing checks) issues. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-590,SUSE-SLE-Module-Development-Tools-15-SP6-2025-590,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-590,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-590,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-590,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-590,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-590,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-590,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-590,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-590,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-590,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-590,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-590,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-590,SUSE-Storage-7.1-2025-590,openSUSE-SLE-15.6-2025-590 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250590-1/ Link for SUSE-SU-2025:0590-1 https://lists.suse.com/pipermail/sle-security-updates/2025-February/020377.html E-Mail link for SUSE-SU-2025:0590-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1237037 SUSE Bug 1237037 https://bugzilla.suse.com/1237038 SUSE Bug 1237038 https://www.suse.com/security/cve/CVE-2025-24970/ SUSE CVE CVE-2025-24970 page https://www.suse.com/security/cve/CVE-2025-25193/ SUSE CVE CVE-2025-25193 page SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP6 SUSE Linux Enterprise Module for Package Hub 15 SP6 SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server 15 SP5-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 openSUSE Leap 15.6 netty-4.1.118-150200.4.29.2 netty-bom-4.1.118-150200.4.29.2 netty-javadoc-4.1.118-150200.4.29.2 netty-parent-4.1.118-150200.4.29.2 netty-tcnative-2.0.70-150200.3.25.1 netty-tcnative-javadoc-2.0.70-150200.3.25.1 netty-tcnative-openssl-dynamic-2.0.70-150200.3.25.1 netty-tcnative-2.0.70-150200.3.25.1 as a component of SUSE Enterprise Storage 7.1 netty-tcnative-2.0.70-150200.3.25.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS netty-tcnative-2.0.70-150200.3.25.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS netty-tcnative-2.0.70-150200.3.25.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS netty-tcnative-2.0.70-150200.3.25.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS netty-tcnative-2.0.70-150200.3.25.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS netty-tcnative-2.0.70-150200.3.25.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 netty-4.1.118-150200.4.29.2 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 netty-javadoc-4.1.118-150200.4.29.2 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 netty-tcnative-2.0.70-150200.3.25.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS netty-tcnative-2.0.70-150200.3.25.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS netty-tcnative-2.0.70-150200.3.25.1 as a component of SUSE Linux Enterprise Server 15 SP5-LTSS netty-tcnative-2.0.70-150200.3.25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 netty-tcnative-2.0.70-150200.3.25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 netty-tcnative-2.0.70-150200.3.25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP5 netty-4.1.118-150200.4.29.2 as a component of openSUSE Leap 15.6 netty-javadoc-4.1.118-150200.4.29.2 as a component of openSUSE Leap 15.6 netty-tcnative-2.0.70-150200.3.25.1 as a component of openSUSE Leap 15.6 netty-tcnative-javadoc-2.0.70-150200.3.25.1 as a component of openSUSE Leap 15.6 Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually. CVE-2025-24970 SUSE Enterprise Storage 7.1:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:netty-4.1.118-150200.4.29.2 SUSE Linux Enterprise Module for Package Hub 15 SP6:netty-javadoc-4.1.118-150200.4.29.2 SUSE Linux Enterprise Server 15 SP3-LTSS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise Server 15 SP4-LTSS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise Server 15 SP5-LTSS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise Server for SAP Applications 15 SP5:netty-tcnative-2.0.70-150200.3.25.1 openSUSE Leap 15.6:netty-4.1.118-150200.4.29.2 openSUSE Leap 15.6:netty-javadoc-4.1.118-150200.4.29.2 openSUSE Leap 15.6:netty-tcnative-2.0.70-150200.3.25.1 openSUSE Leap 15.6:netty-tcnative-javadoc-2.0.70-150200.3.25.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250590-1/ https://www.suse.com/security/cve/CVE-2025-24970.html CVE-2025-24970 https://bugzilla.suse.com/1237037 SUSE Bug 1237037 Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix. CVE-2025-25193 SUSE Enterprise Storage 7.1:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:netty-4.1.118-150200.4.29.2 SUSE Linux Enterprise Module for Package Hub 15 SP6:netty-javadoc-4.1.118-150200.4.29.2 SUSE Linux Enterprise Server 15 SP3-LTSS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise Server 15 SP4-LTSS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise Server 15 SP5-LTSS:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:netty-tcnative-2.0.70-150200.3.25.1 SUSE Linux Enterprise Server for SAP Applications 15 SP5:netty-tcnative-2.0.70-150200.3.25.1 openSUSE Leap 15.6:netty-4.1.118-150200.4.29.2 openSUSE Leap 15.6:netty-javadoc-4.1.118-150200.4.29.2 openSUSE Leap 15.6:netty-tcnative-2.0.70-150200.3.25.1 openSUSE Leap 15.6:netty-tcnative-javadoc-2.0.70-150200.3.25.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250590-1/ https://www.suse.com/security/cve/CVE-2025-25193.html CVE-2025-25193 https://bugzilla.suse.com/1237038 SUSE Bug 1237038