{"affected":[{"ecosystem_specific":{"binaries":[{"netty":"4.1.130-150200.4.40.1","netty-javadoc":"4.1.130-150200.4.40.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Package Hub 15 SP7","name":"netty","purl":"pkg:rpm/suse/netty&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.1.130-150200.4.40.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"netty":"4.1.130-150200.4.40.1","netty-javadoc":"4.1.130-150200.4.40.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"netty","purl":"pkg:rpm/opensuse/netty&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.1.130-150200.4.40.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for netty fixes the following issues:\n\nUpdate to upstream version 4.1.130.\n\nSecurity issues fixed:\n\n- CVE-2025-67735: lack of URI sanitization in `HttpRequestEncoder` allows for CRLF injection through a request URI and\n  can lead to request smuggling (bsc#1255048).\n\nOther updates and bugfixes:\n\n- Version 4.1.130:\n  * Update `lz4-java` version to 1.10.1\n  * Close `Channel` and fail bootstrap when setting a `ChannelOption` causes an error\n  * Discard the following `HttpContent` for preflight request\n  * Fix race condition in `NonStickyEventExecutorGroup` causing incorrect `inEventLoop()` results\n  * Fix Zstd compression for large data\n  * Fix `ZstdEncoder` not producing data when source is smaller than block\n  * Make big endian ASCII hashcode consistent with little endian\n  * Fix reentrancy bug in `ByteToMessageDecoder`\n  * Add 32k and 64k size classes to adaptive allocator\n  * Re-enable reflective field accesses in native images\n  * Correct HTTP/2 padding length check\n  * Fix HTTP startline validation\n  * Fix `MpscIntQueue` bug\n\n- Build against the `org.jboss:jdk-misc` artifact that is implementing the `sun.misc` classes removed in Java 25\n","id":"SUSE-SU-2025:4489-1","modified":"2025-12-19T11:01:56Z","published":"2025-12-19T11:01:56Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-20254489-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1255048"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-67735"}],"related":["CVE-2025-67735"],"summary":"Security update for netty","upstream":["CVE-2025-67735"]}