Security update for netty, netty-tcnative

Announcement ID:	SUSE-SU-2025:03114-1
Release Date:	2025-09-09T10:36:11Z
Rating:	important
References:	bsc#1247991 bsc#1249116 bsc#1249134
Cross-References:	CVE-2025-55163 CVE-2025-58056 CVE-2025-58057
CVSS scores:	CVE-2025-55163 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-55163 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-55163 ( NVD ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2025-58056 ( NVD ): 2.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2025-58056 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2025-58057 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-58057 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-58057 ( NVD ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2025-58057 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Development Tools Module 15-SP6 Development Tools Module 15-SP7 openSUSE Leap 15.6 SUSE Enterprise Storage 7.1 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 LTSS SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP4 LTSS SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP5 LTSS SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Package Hub 15 15-SP6 SUSE Package Hub 15 15-SP7

An update that solves three vulnerabilities can now be installed.

Description:

This update for netty, netty-tcnative fixes the following issues:

Upgrade to upstream version 4.1.126.

Security issues fixed:

• CVE-2025-58057: decompression codecs allocating a large number of buffers after processing specially crafted input can cause a denial of service (bsc#1249134).
• CVE-2025-58056: incorrect parsing of chunk extensions can lead to request smuggling (bsc#1249116).
• CVE-2025-55163: "MadeYouReset" denial of serivce attack in the HTTP/2 protocol (bsc#1247991).

Other issues fixed:

• Fixes from version 4.1.126
• Fix IllegalReferenceCountException on invalid upgrade response.
• Drop unknown frame on missing stream.
• Don't try to handle incomplete upgrade request.

• Update to netty-tcnative 2.0.73Final.

• Fixes from version 4.1.124

• Fix NPE and AssertionErrors when many tasks are scheduled and cancelled.
• HTTP2: Http2ConnectionHandler should always use Http2ConnectionEncoder.
• Epoll: Correctly handle UDP packets with source port of 0.
• Fix netty-common OSGi Import-Package header.

• MqttConnectPayload.toString() includes password.

• Fixes from version 4.1.123

• Fix chunk reuse bug in adaptive allocator.
• More accurate adaptive memory usage accounting.
• Introduce size-classes for the adaptive allocator.
• Reduce magazine proliferation eagerness.
• Fix concurrent ByteBuffer access issue in AdaptiveByteBuf.getBytes.
• Fix possible buffer corruption caused by incorrect setCharSequence(...) implementation.
• AdaptiveByteBuf: Fix AdaptiveByteBuf.maxFastWritableBytes() to take writerIndex() into account.
• Optimize capacity bumping for adaptive ByteBufs.
• AbstractDnsRecord: equals() and hashCode() to ignore name field's case.
• Backport Unsafe guards.
• Guard recomputed offset access with hasUnsafe.
• HTTP2: Always produce a RST frame on stream exception.

• Correct what artifacts included in netty-bom.

• Fixes from version 4.1.122

• DirContextUtils.addNameServer(...) should just catch Exception internally.
• Make public API specify explicit maxAllocation to prevent OOM.
• Fix concurrent ByteBuf write access bug in adaptive allocator.
• Fix transport-native-kqueue Bundle-SymbolicNames.
• Fix resolver-dns-native-macos Bundle-SymbolicNames.
• Always correctly calculate the memory address of the ByteBuf even if sun.misc.Unsafe is not usable.
• Upgrade lz4 dependencies as the old version did not correctly handle ByteBuffer that have an arrayOffset > 0.
• Optimize ByteBuf.setCharSequence for adaptive allocator.
• Kqueue: Fix registration failure when fd is reused.
• Make JdkZlibEncoder accept Deflater.DEFAULT_COMPRESSION as level.
• Ensure OpenSsl.availableJavaCipherSuites does not contain null values.
• Always prefer direct buffers for pooled allocators if not explicit disabled.
• Update to netty-tcnative 2.0.72.Final.
• Re-enable sun.misc.Unsafe by default on Java 24+.

• Kqueue: Delay removal from registration map to fix noisy warnings.

• Fixes from version 4.1.121

• Epoll.isAvailable() returns false on Ubuntu 20.04/22.04 arch amd64.

• Fix transport-native-epoll Bundle-SymbolicNames.

• Fixes from version 4.1.120

• Fix flawed termination condition check in HttpPostRequestEncoder#encodeNextChunkUrlEncoded(int) for current InterfaceHttpData.
• Exposed decoderEnforceMaxConsecutiveEmptyDataFrames and decoderEnforceMaxRstFramesPerWindow.
• ThreadExecutorMap must restore old EventExecutor.
• Make Recycler virtual thread friendly.
• Disable sun.misc.Unsafe by default on Java 24+.
• Adaptive: Correctly enforce leak detection when using AdaptiveByteBufAllocator.
• Add suppressed exception to original cause when calling Future.sync*.
• Add SETTINGS_ENABLE_CONNECT_PROTOCOL to the default HTTP/2 settings.
• Correct computation for suboptimal chunk retirement probability.
• Fix bug in method AdaptivePoolingAllocator.allocateWithoutLock(...).
• Fix a Bytebuf leak in TcpDnsQueryDecoder.
• SSL: Clear native error if named group is not supported.
• WebSocketClientCompressionHandler shouldn't claim window bits support when jzlib is not available.

• Fix the assignment error of maxQoS parameter in ConnAck Properties.

• Fixes from version 4.1.119

• Replace SSL assertion with explicit record length check.
• Fix NPE when upgrade message fails to aggregate.
• SslHandler: Fix possible NPE when executor is used for delegating.
• Consistently add channel info in HTTP/2 logs.
• Add QueryStringDecoder option to leave '+' alone.

• Use initialized BouncyCastle providers when available.

• Fix pom.xml errors that will be fatal with Maven 4

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-3114=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-3114=1
• SUSE Linux Enterprise Server 15 SP3 LTSS
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-3114=1
• SUSE Linux Enterprise Server 15 SP4 LTSS
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-3114=1
• SUSE Linux Enterprise Server 15 SP5 LTSS
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-3114=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2025-3114=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-3114=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP5
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-3114=1
• SUSE Enterprise Storage 7.1
  zypper in -t patch SUSE-Storage-7.1-2025-3114=1
• openSUSE Leap 15.6
  zypper in -t patch openSUSE-SLE-15.6-2025-3114=1
• Development Tools Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2025-3114=1
• Development Tools Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2025-3114=1
• SUSE Package Hub 15 15-SP6
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-3114=1
• SUSE Package Hub 15 15-SP7
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-3114=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-3114=1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-3114=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-3114=1

Package List:

• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64 x86_64)
  • netty-tcnative-2.0.73-150200.3.30.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64 x86_64)
  • netty-tcnative-2.0.73-150200.3.30.1
• SUSE Linux Enterprise Server 15 SP3 LTSS (aarch64 ppc64le s390x x86_64)
  • netty-tcnative-2.0.73-150200.3.30.1
• SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
  • netty-tcnative-2.0.73-150200.3.30.1
• SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
  • netty-tcnative-2.0.73-150200.3.30.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
  • netty-tcnative-2.0.73-150200.3.30.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
  • netty-tcnative-2.0.73-150200.3.30.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
  • netty-tcnative-2.0.73-150200.3.30.1
• SUSE Enterprise Storage 7.1 (aarch64 x86_64)
  • netty-tcnative-2.0.73-150200.3.30.1
• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
  • netty-4.1.126-150200.4.34.1
  • netty-tcnative-2.0.73-150200.3.30.1
• openSUSE Leap 15.6 (noarch)
  • netty-tcnative-javadoc-2.0.73-150200.3.30.1
  • netty-javadoc-4.1.126-150200.4.34.1
• Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • netty-tcnative-2.0.73-150200.3.30.1
• Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • netty-tcnative-debugsource-2.0.73-150200.3.30.1
  • netty-tcnative-2.0.73-150200.3.30.1
• SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64)
  • netty-4.1.126-150200.4.34.1
• SUSE Package Hub 15 15-SP6 (noarch)
  • netty-javadoc-4.1.126-150200.4.34.1
• SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64)
  • netty-4.1.126-150200.4.34.1
• SUSE Package Hub 15 15-SP7 (noarch)
  • netty-javadoc-4.1.126-150200.4.34.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64)
  • netty-tcnative-2.0.73-150200.3.30.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64)
  • netty-tcnative-2.0.73-150200.3.30.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64)
  • netty-tcnative-2.0.73-150200.3.30.1

References:

• https://www.suse.com/security/cve/CVE-2025-55163.html
• https://www.suse.com/security/cve/CVE-2025-58056.html
• https://www.suse.com/security/cve/CVE-2025-58057.html
• https://bugzilla.suse.com/show_bug.cgi?id=1247991
• https://bugzilla.suse.com/show_bug.cgi?id=1249116
• https://bugzilla.suse.com/show_bug.cgi?id=1249134