Several security issues were fixed in Netty.
Software Description:
- netty: event-driven asynchronous network application framework
Details:
Jeppe Bonde Weikop discovered that Netty incorrectly parsed HTTP
messages. When Netty is used with certain reverse proxies, a
remote attacker could possibly use this issue to perform HTTP request
smuggling attacks. (CVE-2025-58056)
Jonas Konrad discovered that Netty did not properly manage memory when
decoding compressed data. A remote attacker could possibly use this
issue to cause Netty to consume excessive memory, resulting in a denial
of service. This issue was only addressed in Ubuntu 18.04 LTS, Ubuntu
20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04, and
Ubuntu 25.10. (CVE-2025-58057)
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
libnetty-java 1:4.1.48-10ubuntu0.25.10.2
Ubuntu 25.04
libnetty-java 1:4.1.48-10ubuntu0.25.04.2
Ubuntu 24.04 LTS
libnetty-java 1:4.1.48-9ubuntu0.1
Ubuntu 22.04 LTS
libnetty-java 1:4.1.48-4+deb11u2ubuntu0.1
Ubuntu 20.04 LTS
libnetty-java 1:4.1.45-1ubuntu0.1~esm4
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libnetty-java 1:4.1.7-4ubuntu0.1+esm5
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libnetty-java 1:4.0.34-1ubuntu0.1~esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.https://ubuntu.com/security/notices/USN-7918-1
CVE-2025-58056, CVE-2025-58057
Get the latest Linux and open source security news straight to your inbox.