SUSE-SU-2025:03114-1

Advisory lineage Upstream: 3 Downstream: 0
Published: 09 Sept 2025, 10:35
Last modified:04 Feb 2026, 04:13

Vulnerability Summary

Overall Risk (default)
minimal
0/100
CVSS Score
No data
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

09 Sept 2025, 10:35
Published
Vulnerability first disclosed
04 Feb 2026, 04:13
Last Modified
Vulnerability information updated

Description

Security update for netty, netty-tcnative This update for netty, netty-tcnative fixes the following issues: Upgrade to upstream version 4.1.126. Security issues fixed: - CVE-2025-58057: decompression codecs allocating a large number of buffers after processing specially crafted input can cause a denial of service (bsc#1249134). - CVE-2025-58056: incorrect parsing of chunk extensions can lead to request smuggling (bsc#1249116). - CVE-2025-55163: 'MadeYouReset' denial of serivce attack in the HTTP/2 protocol (bsc#1247991). Other issues fixed: - Fixes from version 4.1.126 * Fix IllegalReferenceCountException on invalid upgrade response. * Drop unknown frame on missing stream. * Don't try to handle incomplete upgrade request. * Update to netty-tcnative 2.0.73Final. - Fixes from version 4.1.124 * Fix NPE and AssertionErrors when many tasks are scheduled and cancelled. * HTTP2: Http2ConnectionHandler should always use Http2ConnectionEncoder. * Epoll: Correctly handle UDP packets with source port of 0. * Fix netty-common OSGi Import-Package header. * MqttConnectPayload.toString() includes password. - Fixes from version 4.1.123 * Fix chunk reuse bug in adaptive allocator. * More accurate adaptive memory usage accounting. * Introduce size-classes for the adaptive allocator. * Reduce magazine proliferation eagerness. * Fix concurrent ByteBuffer access issue in AdaptiveByteBuf.getBytes. * Fix possible buffer corruption caused by incorrect setCharSequence(...) implementation. * AdaptiveByteBuf: Fix AdaptiveByteBuf.maxFastWritableBytes() to take writerIndex() into account. * Optimize capacity bumping for adaptive ByteBufs. * AbstractDnsRecord: equals() and hashCode() to ignore name field's case. * Backport Unsafe guards. * Guard recomputed offset access with hasUnsafe. * HTTP2: Always produce a RST frame on stream exception. * Correct what artifacts included in netty-bom. - Fixes from version 4.1.122 * DirContextUtils.addNameServer(...) should just catch Exception internally. * Make public API specify explicit maxAllocation to prevent OOM. * Fix concurrent ByteBuf write access bug in adaptive allocator. * Fix transport-native-kqueue Bundle-SymbolicNames. * Fix resolver-dns-native-macos Bundle-SymbolicNames. * Always correctly calculate the memory address of the ByteBuf even if sun.misc.Unsafe is not usable. * Upgrade lz4 dependencies as the old version did not correctly handle ByteBuffer that have an arrayOffset > 0. * Optimize ByteBuf.setCharSequence for adaptive allocator. * Kqueue: Fix registration failure when fd is reused. * Make JdkZlibEncoder accept Deflater.DEFAULT_COMPRESSION as level. * Ensure OpenSsl.availableJavaCipherSuites does not contain null values. * Always prefer direct buffers for pooled allocators if not explicit disabled. * Update to netty-tcnative 2.0.72.Final. * Re-enable sun.misc.Unsafe by default on Java 24+. * Kqueue: Delay removal from registration map to fix noisy warnings. - Fixes from version 4.1.121 * Epoll.isAvailable() returns false on Ubuntu 20.04/22.04 arch amd64. * Fix transport-native-epoll Bundle-SymbolicNames. - Fixes from version 4.1.120 * Fix flawed termination condition check in HttpPostRequestEncoder#encodeNextChunkUrlEncoded(int) for current InterfaceHttpData. * Exposed decoderEnforceMaxConsecutiveEmptyDataFrames and decoderEnforceMaxRstFramesPerWindow. * ThreadExecutorMap must restore old EventExecutor. * Make Recycler virtual thread friendly. * Disable sun.misc.Unsafe by default on Java 24+. * Adaptive: Correctly enforce leak detection when using AdaptiveByteBufAllocator. * Add suppressed exception to original cause when calling Future.sync*. * Add SETTINGS_ENABLE_CONNECT_PROTOCOL to the default HTTP/2 settings. * Correct computation for suboptimal chunk retirement probability. * Fix bug in method AdaptivePoolingAllocator.allocateWithoutLock(...). * Fix a Bytebuf leak in TcpDnsQueryDecoder. * SSL: Clear native error if named group is not supported. * WebSocketClientCompressionHandler shouldn't claim window bits support when jzlib is not available. * Fix the assignment error of maxQoS parameter in ConnAck Properties. - Fixes from version 4.1.119 * Replace SSL assertion with explicit record length check. * Fix NPE when upgrade message fails to aggregate. * SslHandler: Fix possible NPE when executor is used for delegating. * Consistently add channel info in HTTP/2 logs. * Add QueryStringDecoder option to leave '+' alone. * Use initialized BouncyCastle providers when available. - Fix pom.xml errors that will be fatal with Maven 4

Affected Systems

  • opensusenetty-tcnative&distro=openSUSE Leap 15.6

    < 2.0.73-150200.3.30.1

  • opensusenetty&distro=openSUSE Leap 15.6

    < 4.1.126-150200.4.34.1

  • susenetty-tcnative&distro=SUSE Enterprise Storage 7.1

    < 2.0.73-150200.3.30.1

  • susenetty-tcnative&distro=SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS

    < 2.0.73-150200.3.30.1

  • susenetty-tcnative&distro=SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS

    < 2.0.73-150200.3.30.1

  • susenetty-tcnative&distro=SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS

    < 2.0.73-150200.3.30.1

  • susenetty-tcnative&distro=SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS

    < 2.0.73-150200.3.30.1

  • susenetty-tcnative&distro=SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS

    < 2.0.73-150200.3.30.1

  • susenetty-tcnative&distro=SUSE Linux Enterprise Module for Development Tools 15 SP6

    < 2.0.73-150200.3.30.1

  • susenetty-tcnative&distro=SUSE Linux Enterprise Module for Development Tools 15 SP7

    < 2.0.73-150200.3.30.1

  • susenetty-tcnative&distro=SUSE Linux Enterprise Server 15 SP3-LTSS

    < 2.0.73-150200.3.30.1

  • susenetty-tcnative&distro=SUSE Linux Enterprise Server 15 SP4-LTSS

    < 2.0.73-150200.3.30.1

  • susenetty-tcnative&distro=SUSE Linux Enterprise Server 15 SP5-LTSS

    < 2.0.73-150200.3.30.1

  • susenetty-tcnative&distro=SUSE Linux Enterprise Server for SAP Applications 15 SP3

    < 2.0.73-150200.3.30.1

  • susenetty-tcnative&distro=SUSE Linux Enterprise Server for SAP Applications 15 SP4

    < 2.0.73-150200.3.30.1

  • susenetty-tcnative&distro=SUSE Linux Enterprise Server for SAP Applications 15 SP5

    < 2.0.73-150200.3.30.1

  • susenetty&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6

    < 4.1.126-150200.4.34.1

  • susenetty&distro=SUSE Linux Enterprise Module for Package Hub 15 SP7

    < 4.1.126-150200.4.34.1

References (7)