Debian Patches

Status for netty/1:4.1.48-12

Patch Description Author Forwarded Bugs Origin Last update
01-ignore-npn.patch Disable the NPN/ALPN support since it relies on jetty npn-api and alpn-api which aren't available in Debian Emmanuel Bourg <ebourg@apache.org> not-needed
03-ignore-jboss-marshalling.patch Disable the JBoss Marshalling support (not in Debian) Emmanuel Bourg <ebourg@apache.org> not-needed
04-netty-all-light.patch Turn the netty-all jar into an empty jar to optimize the size of the package but keep the dependencies on the other artifacts Emmanuel Bourg <ebourg@apache.org> not-needed
05-reproducible-versions-properties.patch Make the versions.properties files reproducible Emmanuel Bourg <ebourg@apache.org> not-needed
06-remove-tcnative-classifier.patch Removes the empty classifier for the tcnative dependency since it breaks the Gradle dependencies resolution (seen with the projectreactor package) Emmanuel Bourg <ebourg@apache.org> not-needed
07-netty-all-epoll-dependency.patch Moves the netty-transport-native-epoll out of the profiles since it doesn't work with Gradle (required for the projectreactor package) Emmanuel Bourg <ebourg@apache.org> not-needed
08-codegen-without-groovy-plugin.patch Adapts codegen.groovy to run without the groovy-maven-plugin (not in Debian yet) Emmanuel Bourg <ebourg@apache.org> not-needed
09-ignore-lz4.patch Disables lz4 support (missing dependency) Emmanuel Bourg <ebourg@apache.org> not-needed
10-ignore-lzma.patch Disables lzma support (missing dependency) Emmanuel Bourg <ebourg@apache.org> not-needed
11-ignore-protobuf-nano.patch Disables protobuf nano support (missing dependency) Emmanuel Bourg <ebourg@apache.org> not-needed
13-ignore-conscrypt.patch Disables Conscrypt support (missing dependency) Emmanuel Bourg <ebourg@apache.org> not-needed
15-disable-Werror.patch Build native parts without Werror as that can cause build failures Sjoerd Simons <sjoerd.simons@collabora.co.uk> no debian
16-disable-substratevm-support.patch Disables SubstrateVM support (missing dependencies) Emmanuel Bourg <ebourg@apache.org> not-needed
17-disable-blockhound-integration.patch Disables BlocHound integration (missing dependency) Emmanuel Bourg <ebourg@apache.org> not-needed
CVE-2021-21290.patch CVE-2021-21290 Markus Koschany <apo@debian.org> no https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec 2021-02-12
CVE-2021-21295.patch CVE-2021-21295 Markus Koschany <apo@debian.org> no https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4 2021-03-26
CVE-2021-21409.patch CVE-2021-21409 (was: [PATCH] Merge pull request from GHSA-f256-j965-7f32)
Motivation:

We also need to ensure that all the header validation is done when a single header with the endStream flag is received

Modifications:

- Adjust code to always enforce the validation
- Add more unit tests

Result:

Always correctly validate		 Norman Maurer <norman_maurer@apple.com> no https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432 2021-03-30
21-java-17.patch compile with JDK 17 no debian
CVE-2021-37136.patch CVE-2021-37136 Markus Koschany <apo@debian.org> no debian https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020 2023-01-01
CVE-2021-37137.patch CVE-2021-37137 Markus Koschany <apo@debian.org> no debian https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f 2023-01-01
CVE-2021-43797.patch CVE-2021-43797 Markus Koschany <apo@debian.org> no debian https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323 2023-01-01
CVE-2022-41881.patch CVE-2022-41881 Markus Koschany <apo@debian.org> no debian https://github.com/netty/netty/commit/cd91cf3c99123bd1e53fd6a1de0e3d1922f05bb2 2023-01-01
CVE-2022-41915.patch CVE-2022-41915 Markus Koschany <apo@debian.org> no debian https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4 2023-01-01
CVE-2023-34462.patch CVE-2023-34462 Markus Koschany <apo@debian.org> no debian https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32 2023-11-05
CVE-2023-44487.patch CVE-2023-44487 Markus Koschany <apo@debian.org> no debian https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 2023-11-05
22-java-21.patch Java 21 compatibility patch Use reflection to access sun.x509 API due to the breaking changes
between Java 17 and Java 21. Cherry-pick self-signed certificate
generator changes from netty-4.1.91.Final.		 Norman Maurer <norman_maurer@apple.com> yes debian upstream 2023-11-28
CVE-2024-29025.patch CVE-2024-29025 Markus Koschany <apo@debian.org> no https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c 2024-05-12
CVE-2025-59419.patch CVE-2025-59419: Merge commit from fork
* Patch 1 of 3

* Patch 2 of 3

* Patch 3 of 3

* Fix indentation style

* Update 2025

* Optimize allocations

* Update codec-smtp/src/main/java/io/netty/handler/codec/smtp/SmtpUtils.java		 DepthFirst Disclosures <disclosures@depthfirst.com> no 2025-10-14
CVE-2025-55163_before-1.patch commit 9b80d081ff3478c46152b012ae0e21f939467ac3

Only enable the RST limit for servers by default (#13671)

Motivation:

We dont need to limit the number of RST frames per connection when we
are bulding a codec for the client side.

Modifications:

Dont limit the numbers of RST frames per connection when building a
codec for the client side.

Result:

Only add limit where needed		 Norman Maurer <norman_maurer@apple.com> no backport, https://github.com/netty/netty/commit/9b80d081ff3478c46152b012ae0e21f939467ac3 2023-10-28
CVE-2025-55163_1.patch =?utf-8?q?HTTP2=3A_Http2ConnectionHandler_should_always_use_Http2C?= =?utf-8?q?onnectionEncode=E2=80=A6_=28=2315518=29?=

…r (#15516)

Motivation:

We sometimes directly used the Http2FrameWriter which is not correct as
someone might have supplied a custom Http2ConnectionEncoder

Modifications:

Use Http2ConnectionEncoder when writing RST frames

Result:

Don't by-pass Http2ConnectionEncoder		 Norman Maurer <norman_maurer@apple.com> yes upstream backport, https://github.com/netty/netty/commit/be53dc3c9acd9af2e20d0c3c07cd77115a594cf1 2025-07-28
CVE-2025-55163_2.patch [PATCH] Merge commit from fork
* Enforce the maximum number of RST frames that can be sent in window of time

Motivation:

A remote peer might be able to trigger an instance to generate and send RST frames by sending invalid frames on an existing stream. This can cause high resource usage and so might be abused by a remote peer.

Modifications:

Limit the number of RSTs that we allow to be generated and so send in a specific time window. If this limit is reached a GO_AWAY frame is send and the connection be closed.

Result:

Fix high resource usage that can be caused by a remote peer by trigger RST frames

* Adjust testing

* Address comments		 Norman Maurer <norman_maurer@apple.com> yes upstream backport, https://github.com/netty/netty/commit/009bd17b38a39fb1eecf9d22ea8ae8108afaac59 2025-08-13
CVE-2025-58057.patch [PATCH] Merge commit from fork (#15612)
Motivation:

We should ensure our decompressing decoders will fire their buffers
through the pipeliner as fast as possible and so allow the user to take
ownership of these as fast as possible. This is needed to reduce the
risk of OOME as otherwise a small input might produce a large amount of
data that can't be processed until all the data was decompressed in a
loop. Beside this we also should ensure that other handlers that uses
these decompressors will not buffer all of the produced data before
processing it, which was true for HTTP and HTTP2.

Modifications:

- Adjust affected decoders (Brotli, Zstd and ZLib) to fire buffers
through the pipeline as soon as possible
- Adjust HTTP / HTTP2 decompressors to do the same
- Add testcase.

Result:

Less risk of OOME when doing decompressing		 Norman Maurer <norman_maurer@apple.com> no backport, https://github.com/netty/netty/commit/34894ac73b02efefeacd9c0972780b32dc3de04f 2025-09-03

All known versions for source package 'netty'

Links