Explore top 10 tips to secure your open-source projects now. Read More
×An update that solves 18 vulnerabilities can now be installed.. # Security update for netty, netty-tcnative Announcement ID: SUSE-SU-2026:2802-1 Release Date: 2026-07-08T19:06:45Z Rating: important References: * bsc#1268165 * bsc#1268169 * bsc#1268170 * bsc#1268244 * bsc#1268246 * bsc#1268247 * bsc#1268248 * bsc#1268249 * bsc#1268250 * bsc#1268251 * bsc#1268252 * bsc#1268255 * bsc#1268257 * bsc#1268258 * bsc#1268259 * bsc#1268260 * bsc#1268261 * bsc#1268262 Cross-References: * CVE-2026-44249 * CVE-2026-44250 * CVE-2026-44890 * CVE-2026-44893 * CVE-2026-45416 * CVE-2026-45536 * CVE-2026-45673 * CVE-2026-45674 * CVE-2026-46340 * CVE-2026-47244 * CVE-2026-47691 * CVE-2026-48006 * CVE-2026-48043 * CVE-2026-48059 * CVE-2026-50010 * CVE-2026-50011 * CVE-2026-50020 * CVE-2026-50560 CVSS scores: * CVE-2026-44249 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-44249 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-44249 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-44249 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-44250 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-44250 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-44250 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-44250 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-44890 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-44890 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-44890 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-44890 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-44893 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-44893 ( SUSE ): 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-44893 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-44893 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45416 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-45416 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45416 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45416 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45536 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-45536 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-45536 ( NVD ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-45673 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N * CVE-2026-45673 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N * CVE-2026-45673 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N * CVE-2026-45674 ( SUSE ): 7.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N * CVE-2026-45674 ( SUSE ): 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N * CVE-2026-45674 ( NVD ): 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N * CVE-2026-45674 ( NVD ): 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N * CVE-2026-45674 ( NVD ): 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N * CVE-2026-46340 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-46340 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-46340 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-46340 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-47244 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-47244 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-47244 ( NVD ): 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-47691 ( SUSE ): 7.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N * CVE-2026-47691 ( SUSE ): 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N * CVE-2026-47691 ( NVD ): 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N * CVE-2026-47691 ( NVD ): 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N * CVE-2026-47691 ( NVD ): 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N * CVE-2026-48006 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-48006 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48006 ( NVD ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-48006 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48006 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48043 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-48043 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48043 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48043 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-48043 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48059 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-48059 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48059 ( NVD ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-48059 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48059 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-50010 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-50010 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-50010 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-50010 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-50011 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-50011 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-50011 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-50011 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-50020 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-50020 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-50020 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-50560 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-50560 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-50560 ( NVD ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-50560 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Affected Products: * Development Tools Module 15-SP7 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux EnterpriseServer 15 SP5 LTSS * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP6 LTSS * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * SUSE Package Hub 15 15-SP7 An update that solves 18 vulnerabilities can now be installed. ## Description: This update for netty, netty-tcnative fixes the following issue This update for netty, netty-tcnative fixes the following issues Upgrade netty to upstream version 4.1.135, netty-tcnative to upstream version 2.0.79: * CVE-2026-44249: IPv6 Subnet Filter Bypass via Incorrect Comparator Masking (bsc#1268165). * CVE-2026-44250: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays (bsc#1268169). * CVE-2026-44890: Unbounded Direct Memory Consumption in RedisDecoder (bsc#1268170). * CVE-2026-44893: netty-codec-haproxy: Denial of Service via malformed HAProxy message (bsc#1268244). * CVE-2026-45416: SNI handler pre-allocates up to 16 MiB from nine attacker bytes (bsc#1268246). * CVE-2026-45536: Unix-socket fd receive leaks descriptors when peer sends two at once (bsc#1268247). * CVE-2026-45673: netty-resolver-dns: DNS Cache Poisoning via predictable transaction IDs (bsc#1268248). * CVE-2026-45674: DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records (bsc#1268249). * CVE-2026-46340: netty-transport-sctp: Denial of Service due to unbounded memory growth from SctpMessage fragments (bsc#1268250). * CVE-2026-47244: HTTP/2: Advertised MAX_CONCURRENT_STREAMS not enforced (bsc#1268251). * CVE-2026-47691: Insufficient Bailiwick Validation for NS Records (bsc#1268252). * CVE-2026-48006: netty-codec-redis: Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator (bsc#1268255). * CVE-2026-48043:netty-codec-http2: Denial of Service due to resource leak (bsc#1268257). * CVE-2026-48059: netty-codec-haproxy: Denial of Service via memory leak from crafted PROXY protocol headers (bsc#1268258). * CVE-2026-50010: Wrapping plain trust manager silently disables hostname verification (bsc#1268259). * CVE-2026-50011: Unbounded pre-allocation in RedisArrayAggregator from RESP array length (bsc#1268260). * CVE-2026-50020: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted (bsc#1268261). * CVE-2026-50560: Netty susceptible to HTTP/2 Reset Attack with different on- the-wire signature (bsc#1268262). Changes: * MQTT: Allow MQTT 5 CONNECT with password only * ChannelInitializer: correct misleading comment on exceptionCaught route * HTTP/2: Parse request-target path like Vert.x (4.1 backport) * HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted * IpSubnetFilter: Correctly handle ipv6 * Configurable bound on RedisArrayAggregator * Redis: Limit decoded length * DNS: Ensure query id is not predictible * Wrapping plain trust manager silently disables hostname verification * MQTT: Reject malformed no-payload packets with non-zero Remaining Length * HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory * SSL: Use sane defaults as limits for the client hello length and timeout * DNS: Only cache CNAME if part of the queried domain * HTTP/2: Enforce max concurrent streams for misbehaving clients * Dns: Insufficient Bailiwick Validation for NS Records * HTTP2: DelegatingDecompressorFrameListener must release memory in all cases * Pass maxAllocation to Brotli and Zstd decoders * HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation * HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs * Epoll / Kqueue: Correctly handle receive of FD * SCTP:Limit the number of inflight incomplete SCTP messages and the number of fragments * Redis: Correctly release incomplete message on removal when using RedisArrayAggregator * Redis: Limit the maximum number of nested arrays * HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake * Marshalling: Explicit document security requirements * Pin HTTP/RTSP version + method normalization to Locale.US * Adaptive: Fix concurrency issue in adaptive allocator * Pin multipart Content-Type / Content-Transfer-Encoding case folding to Locale.US * Remove dead native declarations * Avoid re-parsing openssl key material with non-cached provider * IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 * Resolve all localhost addresses without querying DNS servers * HTTP2: Use 100 as default max concurrent streams setting * Route synchronous onLookupComplete exceptions via fireExceptionCaught * Fix MQTT decoder size check after variable header replay ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2802=1 * SUSE Linux Enterprise Server 15 SP4 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2802=1 * SUSE Linux Enterprise Server 15 SP6 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2802=1 * SUSE Linux Enterprise Server 15 SP5 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2802=1 * Development Tools Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-2802=1 * SUSE Package Hub 15 15-SP7 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2802=1 * SUSE Linux Enterprise High PerformanceComputing LTSS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2802=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2802=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2802=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2802=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2802=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2802=1 ## Package List: * SUSE Package Hub 15 15-SP7 (noarch) * netty-javadoc-4.1.135-150200.4.50.1 * SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64) * netty-4.1.135-150200.4.50.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64) * netty-tcnative-2.0.79-150200.3.45.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64) * netty-tcnative-2.0.79-150200.3.45.1 * Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64) * netty-tcnative-debugsource-2.0.79-150200.3.45.1 * netty-tcnative-2.0.79-150200.3.45.1 * SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64) * netty-tcnative-2.0.79-150200.3.45.1 * SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64) * netty-tcnative-2.0.79-150200.3.45.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64) * netty-tcnative-2.0.79-150200.3.45.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64 x86_64) * netty-tcnative-2.0.79-150200.3.45.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64 x86_64) * netty-tcnative-2.0.79-150200.3.45.1 * SUSE Linux Enterprise Server for SAP Applications15 SP4 (ppc64le x86_64) * netty-tcnative-2.0.79-150200.3.45.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64) * netty-tcnative-2.0.79-150200.3.45.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64) * netty-tcnative-2.0.79-150200.3.45.1 ## References: * https://www.suse.com/security/cve/CVE-2026-44249.html * https://www.suse.com/security/cve/CVE-2026-44250.html * https://www.suse.com/security/cve/CVE-2026-44890.html * https://www.suse.com/security/cve/CVE-2026-44893.html * https://www.suse.com/security/cve/CVE-2026-45416.html * https://www.suse.com/security/cve/CVE-2026-45536.html * https://www.suse.com/security/cve/CVE-2026-45673.html * https://www.suse.com/security/cve/CVE-2026-45674.html * https://www.suse.com/security/cve/CVE-2026-46340.html * https://www.suse.com/security/cve/CVE-2026-47244.html * https://www.suse.com/security/cve/CVE-2026-47691.html * https://www.suse.com/security/cve/CVE-2026-48006.html * https://www.suse.com/security/cve/CVE-2026-48043.html * https://www.suse.com/security/cve/CVE-2026-48059.html * https://www.suse.com/security/cve/CVE-2026-50010.html * https://www.suse.com/security/cve/CVE-2026-50011.html * https://www.suse.com/security/cve/CVE-2026-50020.html * https://www.suse.com/security/cve/CVE-2026-50560.html * https://bugzilla.suse.com/show_bug.cgi?id=1268165 * https://bugzilla.suse.com/show_bug.cgi?id=1268169 * https://bugzilla.suse.com/show_bug.cgi?id=1268170 * https://bugzilla.suse.com/show_bug.cgi?id=1268244 * https://bugzilla.suse.com/show_bug.cgi?id=1268246 * https://bugzilla.suse.com/show_bug.cgi?id=1268247 * https://bugzilla.suse.com/show_bug.cgi?id=1268248 * https://bugzilla.suse.com/show_bug.cgi?id=1268249 * https://bugzilla.suse.com/show_bug.cgi?id=1268250 * https://bugzilla.suse.com/show_bug.cgi?id=1268251 * https://bugzilla.suse.com/show_bug.cgi?id=1268252 * https://bugzilla.suse.com/show_bug.cgi?id=1268255 *https://bugzilla.suse.com/show_bug.cgi?id=1268257 * https://bugzilla.suse.com/show_bug.cgi?id=1268258 * https://bugzilla.suse.com/show_bug.cgi?id=1268259 * https://bugzilla.suse.com/show_bug.cgi?id=1268260 * https://bugzilla.suse.com/show_bug.cgi?id=1268261 * https://bugzilla.suse.com/show_bug.cgi?id=1268262 . SUSE updates netty and netty-tcnative, addressing 18 security issues with important severity ratings.. SUSE updates, netty security, netty vulnerabilities, important advisory, denial of service vulnerabilities. . Severity: Important. LinuxSecurity.com Team
An update that solves 12 vulnerabilities can now be installed.. # Security update for netty, netty-tcnative Announcement ID: SUSE-SU-2026:2308-1 Release Date: 2026-06-09T08:14:00Z Rating: important References: * bsc#1264350 * bsc#1265243 * bsc#1265245 * bsc#1265246 * bsc#1265272 * bsc#1265273 * bsc#1265277 * bsc#1265279 * bsc#1265280 * bsc#1265292 * bsc#1265294 * bsc#1265318 Cross-References: * CVE-2026-41417 * CVE-2026-42578 * CVE-2026-42579 * CVE-2026-42580 * CVE-2026-42581 * CVE-2026-42582 * CVE-2026-42583 * CVE-2026-42584 * CVE-2026-42585 * CVE-2026-42586 * CVE-2026-42587 * CVE-2026-44248 CVSS scores: * CVE-2026-41417 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-41417 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N * CVE-2026-41417 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-42578 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-42578 ( NVD ): 2.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-42578 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-42579 ( SUSE ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N * CVE-2026-42579 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L * CVE-2026-42579 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-42579 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H * CVE-2026-42580 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2026-42580 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2026-42580 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L * CVE-2026-42581 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2026-42581 ( SUSE ): 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2026-42581 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-42581 ( NVD ): 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N * CVE-2026-42582 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-42582 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-42583 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-42583 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-42583 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-42584 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2026-42584 ( SUSE ): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2026-42584 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H * CVE-2026-42584 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2026-42585 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-42585 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-42585 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-42585 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-42586 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N * CVE-2026-42586 ( NVD ): 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N * CVE-2026-42586 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-42587 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-42587 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-44248 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-44248 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-44248 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-44248 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: *Development Tools Module 15-SP7 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP5 LTSS * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP6 LTSS * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * SUSE Package Hub 15 15-SP7 An update that solves 12 vulnerabilities can now be installed. ## Description: This update for netty, netty-tcnative fixes the following issues * CVE-2026-41417: missing validations leads to HTTP request smuggling and RTSP request injection via start-line injection in `DefaultHttpRequest.setUri()` (bsc#1264350). * CVE-2026-42578: HTTP Header Injection via HttpProxyHandler Disabled Validation in Netty (bsc#1265243). * CVE-2026-42579: DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding (bsc#1265272). * CVE-2026-42580: chunk size parser silently overflows int and enables request smuggling attacks (bsc#1265273). * CVE-2026-42581: TE+CL header coexistence in HTTP/1.0 requests bypasses smuggling sanitization (bsc#1265277). * CVE-2026-42583: resource exhaustion and possible denial of service via `Lz4FrameDecoder` (bsc#1265279). * CVE-2026-42584: improper handling of inboundresponses in `HttpClientCodec` can lead to response desynchronization (bsc#1265280). * CVE-2026-42585: Netty is an asynchronous, event-driven network application framework (bsc#1265292). * CVE-2026-42586: CRLF Injection in Netty Redis Codec Encoder (bsc#1265245). * CVE-2026-42587: HttpContentDecompressor maxAllocation bypass via Content- Encoding: br/zstd/snappy enables decompression bomb DoS (bsc#1265246). * CVE-2026-44248: Netty is an asynchronous, event-driven network application framework (bsc#1265294). * CVE-2026-42582: HTTP/3 QPACK literal unbounded allocation (bsc#1265318). Changes for netty: * Upgrade to upstream version 4.1.133 ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Development Tools Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-2308=1 * SUSE Package Hub 15 15-SP7 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2308=1 * SUSE Linux Enterprise Server 15 SP6 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2308=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2308=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2308=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2308=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2308=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2308=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2308=1 * SUSELinux Enterprise High Performance Computing LTSS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2308=1 * SUSE Linux Enterprise Server 15 SP4 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2308=1 * SUSE Linux Enterprise Server 15 SP5 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2308=1 ## Package List: * Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64) * netty-tcnative-debugsource-2.0.77-150200.3.39.1 * netty-tcnative-2.0.77-150200.3.39.1 * SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64) * netty-4.1.133-150200.4.46.1 * SUSE Package Hub 15 15-SP7 (noarch) * netty-javadoc-4.1.133-150200.4.46.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64) * netty-tcnative-2.0.77-150200.3.39.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64) * netty-tcnative-2.0.77-150200.3.39.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64) * netty-tcnative-2.0.77-150200.3.39.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64) * netty-tcnative-2.0.77-150200.3.39.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64 x86_64) * netty-tcnative-2.0.77-150200.3.39.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64) * netty-tcnative-2.0.77-150200.3.39.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64) * netty-tcnative-2.0.77-150200.3.39.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64 x86_64) * netty-tcnative-2.0.77-150200.3.39.1 * SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64) * netty-tcnative-2.0.77-150200.3.39.1 * SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64) * netty-tcnative-2.0.77-150200.3.39.1 ## References: * https://www.suse.com/security/cve/CVE-2026-41417.html *https://www.suse.com/security/cve/CVE-2026-42578.html * https://www.suse.com/security/cve/CVE-2026-42579.html * https://www.suse.com/security/cve/CVE-2026-42580.html * https://www.suse.com/security/cve/CVE-2026-42581.html * https://www.suse.com/security/cve/CVE-2026-42582.html * https://www.suse.com/security/cve/CVE-2026-42583.html * https://www.suse.com/security/cve/CVE-2026-42584.html * https://www.suse.com/security/cve/CVE-2026-42585.html * https://www.suse.com/security/cve/CVE-2026-42586.html * https://www.suse.com/security/cve/CVE-2026-42587.html * https://www.suse.com/security/cve/CVE-2026-44248.html * https://bugzilla.suse.com/show_bug.cgi?id=1264350 * https://bugzilla.suse.com/show_bug.cgi?id=1265243 * https://bugzilla.suse.com/show_bug.cgi?id=1265245 * https://bugzilla.suse.com/show_bug.cgi?id=1265246 * https://bugzilla.suse.com/show_bug.cgi?id=1265272 * https://bugzilla.suse.com/show_bug.cgi?id=1265273 * https://bugzilla.suse.com/show_bug.cgi?id=1265277 * https://bugzilla.suse.com/show_bug.cgi?id=1265279 * https://bugzilla.suse.com/show_bug.cgi?id=1265280 * https://bugzilla.suse.com/show_bug.cgi?id=1265292 * https://bugzilla.suse.com/show_bug.cgi?id=1265294 * https://bugzilla.suse.com/show_bug.cgi?id=1265318 . Critical update for SUSE fixing 12 vulnerabilities in netty and netty-tcnative, addressing security risks.. SUSE netty security update, netty vulnerabilities, important SUSE updates. . Severity: Important. LinuxSecurity.com Team
An update that solves two vulnerabilities can now be installed.. # Security update for netty, netty-tcnative Announcement ID: SUSE-SU-2026:1353-1 Release Date: 2026-04-15T13:37:31Z Rating: important References: * bsc#1261031 * bsc#1261043 Cross-References: * CVE-2026-33870 * CVE-2026-33871 CVSS scores: * CVE-2026-33870 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-33870 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-33870 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-33871 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-33871 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33871 ( NVD ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-33871 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * Development Tools Module 15-SP7 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * SUSE Package Hub 15 15-SP7 An update that solves two vulnerabilities can now be installed. ## Description: This update for netty, netty-tcnative fixes the following issues: Upidate to 4.1.132: * CVE-2026-33870: incorrectly parses quoted strings in HTTP/1.1 can lead to request smuggling (bsc#1261031). * CVE-2026-33871: sending a flood of CONTINUATION frames can lead to a denial of service (bsc#1261043). Changelog: * Upgrade to upstream version 4.1.132 * Fixes: * Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR retry loop * Make RefCntOpenSslContext.deallocate more robust * HTTP2: Correctly account for padding when decompress * Fix high-order bit aliasingin HttpUtil.validateToken * fix: the precedence of + is higher than > > * AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() * AdaptivePoolingAllocator: call unreserveMatchingBuddy(...) if byteBuf initialization failed * Don't assume CertificateFactory is thread-safe * Fix HttpObjectAggregator leaving connection stuck after 413 with AUTO_READ=false * HTTP2: Ensure preface is flushed in all cases * Fix UnsupportedOperationException in readTrailingHeaders * Fix client_max_window_bits parameter handling in permessage-deflate extension * Native transports: Fix possible fd leak when fcntl fails. * Kqueue: Fix undefined behaviour when GetStringUTFChars fails and SO_ACCEPTFILTER is supported * Kqueue: Possible overflow when using netty_kqueue_bsdsocket_setAcceptFilter(...) * Native transports: Fix undefined behaviour when GetStringUTFChars fails while open FD * Epoll: Add null checks for safety reasons * Epoll: Use correct value to initialize mmsghdr.msg_namelen * Epoll: Fix support for IP_RECVORIGDSTADDR * AdaptivePoolingAllocator: remove ensureAccessible() call in capacity(int) method * Epoll: setTcpMg5Sig(...) might overflow * JdkZlibDecoder: accumulate decompressed output before firing channelRead * Limit the number of Continuation frames per HTTP2 Headers (bsc#1261043, CVE-2026-33871) * Stricter HTTP/1.1 chunk extension parsing (bsc#1261031, CVE-2026-33870) * rediff * Upgrade to upstream version 4.1.131 * NioDatagramChannel.block(...) does not early return on failure * Support for AWS Libcrypto (AWS-LC) netty-tcnative build * codec-dns: Decompress MX RDATA exchange domain names during DNS record decoding * Buddy allocation for large buffers in adaptive allocator * SslHandler: Only resume on EventLoop if EventLoop is not shutting down already * Wrap ECONNREFUSED in PortUnreachableException for UDP * Bump com.ning:compress-lzf (4.1) * Fix adaptive allocator bug from notnoticing failed allocation * Avoid loosing original read exception * Backport multiple adaptive allocator changes * Upgrade to version 4.1.130 * Upgrade to version 2.0.75 Final * No formal changelog present * Needed by netty > = 4.2.11 ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2026-1353=1 * Development Tools Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-1353=1 * SUSE Package Hub 15 15-SP7 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-1353=1 ## Package List: * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * netty-tcnative-2.0.75-150200.3.36.1 * netty-4.1.132-150200.4.43.1 * openSUSE Leap 15.6 (noarch) * netty-tcnative-javadoc-2.0.75-150200.3.36.1 * netty-javadoc-4.1.132-150200.4.43.1 * Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64) * netty-tcnative-2.0.75-150200.3.36.1 * netty-tcnative-debugsource-2.0.75-150200.3.36.1 * SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64) * netty-4.1.132-150200.4.43.1 * SUSE Package Hub 15 15-SP7 (noarch) * netty-javadoc-4.1.132-150200.4.43.1 ## References: * https://www.suse.com/security/cve/CVE-2026-33870.html * https://www.suse.com/security/cve/CVE-2026-33871.html * https://bugzilla.suse.com/show_bug.cgi?id=1261031 * https://bugzilla.suse.com/show_bug.cgi?id=1261043 . Two vulnerabilities in Netty and Netty-tcnative resolved in SUSE's important security update.. netty update important security SUSE. . Severity: Important. LinuxSecurity.com Team
An update that solves 2 vulnerabilities can now be installed.. # netty-4.1.132-1.1 on GA media Announcement ID: openSUSE-SU-2026:10463-1 Rating: moderate Cross-References: * CVE-2026-33870 * CVE-2026-33871 CVSS scores: * CVE-2026-33870 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-33870 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-33871 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33871 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves 2 vulnerabilities can now be installed. ## Description: These are all security issues fixed in the netty-4.1.132-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * netty 4.1.132-1.1 * netty-bom 4.1.132-1.1 * netty-javadoc 4.1.132-1.1 * netty-parent 4.1.132-1.1 ## References: * https://www.suse.com/security/cve/CVE-2026-33870.html * https://www.suse.com/security/cve/CVE-2026-33871.html . An update for openSUSE Tumbleweed addressing two moderate severity issues in netty package.. openSUSE Tumbleweed netty update vulnerabilities patch. . LinuxSecurity.com Team
An update that solves one vulnerability can now be installed.. # Security update for netty Announcement ID: SUSE-SU-2025:4489-1 Release Date: 2025-12-19T11:02:03Z Rating: moderate References: * bsc#1255048 Cross-References: * CVE-2025-67735 CVSS scores: * CVE-2025-67735 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2025-67735 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2025-67735 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Affected Products: * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * SUSE Package Hub 15 15-SP7 An update that solves one vulnerability can now be installed. ## Description: This update for netty fixes the following issues: Update to upstream version 4.1.130. Security issues fixed: * CVE-2025-67735: lack of URI sanitization in `HttpRequestEncoder` allows for CRLF injection through a request URI and can lead to request smuggling (bsc#1255048). Other updates and bugfixes: * Version 4.1.130: * Update `lz4-java` version to 1.10.1 * Close `Channel` and fail bootstrap when setting a `ChannelOption` causes an error * Discard the following `HttpContent` for preflight request * Fix race condition in `NonStickyEventExecutorGroup` causing incorrect `inEventLoop()` results * Fix Zstd compression for large data * Fix `ZstdEncoder` not producing data when source is smaller than block * Make big endian ASCII hashcode consistent with little endian * Fix reentrancy bug in `ByteToMessageDecoder` * Add 32k and 64k size classes to adaptive allocator * Re-enable reflective field accesses in native images * Correct HTTP/2 padding length check * Fix HTTP startline validation * Fix `MpscIntQueue` bug * Build against the `org.jboss:jdk-misc` artifact that is implementing the `sun.misc` classes removed in Java 25 ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2025-4489=1 * SUSE Package Hub 15 15-SP7 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-4489=1 ## Package List: * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * netty-4.1.130-150200.4.40.1 * openSUSE Leap 15.6 (noarch) * netty-javadoc-4.1.130-150200.4.40.1 * SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64) * netty-4.1.130-150200.4.40.1 * SUSE Package Hub 15 15-SP7 (noarch) * netty-javadoc-4.1.130-150200.4.40.1 ## References: * https://www.suse.com/security/cve/CVE-2025-67735.html * https://bugzilla.suse.com/show_bug.cgi?id=1255048 . Maintain your SUSE system's security with the latest netty patch addressing request smuggling vulnerabilities.. SUSE update netty URI sanitization security fix risk management. . LinuxSecurity.com Team
An update that solves one vulnerability can now be installed.. # netty-4.1.130-1.1 on GA media Announcement ID: openSUSE-SU-2025:15824-1 Rating: moderate Cross-References: * CVE-2025-67735 CVSS scores: * CVE-2025-67735 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2025-67735 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves one vulnerability can now be installed. ## Description: These are all security issues fixed in the netty-4.1.130-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * netty 4.1.130-1.1 * netty-bom 4.1.130-1.1 * netty-javadoc 4.1.130-1.1 * netty-parent 4.1.130-1.1 ## References: * https://www.suse.com/security/cve/CVE-2025-67735.html . An important update for openSUSE Tumbleweed addresses a moderate security issue in netty that requires immediate attention.. openSUSE netty update security issue vulnerability. . LinuxSecurity.com Team
Several security issues were fixed in Netty.. ========================================================================== Ubuntu Security Notice USN-7918-1 December 09, 2025 netty vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 25.04 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Netty. Software Description: - netty: event-driven asynchronous network application framework Details: Jeppe Bonde Weikop discovered that Netty incorrectly parsed HTTP messages. When Netty is used with certain reverse proxies, a remote attacker could possibly use this issue to perform HTTP request smuggling attacks. (CVE-2025-58056) Jonas Konrad discovered that Netty did not properly manage memory when decoding compressed data. A remote attacker could possibly use this issue to cause Netty to consume excessive memory, resulting in a denial of service. This issue was only addressed in Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2025-58057) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 libnetty-java 1:4.1.48-10ubuntu0.25.10.2 Ubuntu 25.04 libnetty-java 1:4.1.48-10ubuntu0.25.04.2 Ubuntu 24.04 LTS libnetty-java 1:4.1.48-9ubuntu0.1 Ubuntu 22.04 LTS libnetty-java 1:4.1.48-4+deb11u2ubuntu0.1 Ubuntu 20.04 LTS libnetty-java 1:4.1.45-1ubuntu0.1~esm4 Available with Ubuntu Pro Ubuntu 18.04 LTS libnetty-java 1:4.1.7-4ubuntu0.1+esm5 Available with Ubuntu Pro Ubuntu 16.04 LTS libnetty-java 1:4.0.34-1ubuntu0.1~esm3 Available withUbuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7918-1 CVE-2025-58056, CVE-2025-58057 Package Information: https://launchpad.net/ubuntu/+source/netty/1:4.1.48-10ubuntu0.25.10.2 https://launchpad.net/ubuntu/+source/netty/1:4.1.48-10ubuntu0.25.04.2 https://launchpad.net/ubuntu/+source/netty/1:4.1.48-4+deb11u2ubuntu0.1 . Several Netty security issues fixed in Ubuntu affecting various releases. Update recommended for continued security.. Ubuntu Security, Netty Issues, Denial of Service, HTTP Attack, Linux Security. . Severity: Important. LinuxSecurity.com Team
An update that solves one vulnerability can now be installed.. # Security update for netty, netty-tcnative Announcement ID: SUSE-SU-2025:4087-1 Release Date: 2025-11-12T19:35:33Z Rating: moderate References: * bsc#1252097 Cross-References: * CVE-2025-59419 CVSS scores: * CVE-2025-59419 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2025-59419 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2025-59419 ( NVD ): 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Affected Products: * Development Tools Module 15-SP6 * Development Tools Module 15-SP7 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * SUSE Package Hub 15 15-SP6 * SUSE Package Hub 15 15-SP7 An update that solves one vulnerability can now be installed. ## Description: This update for netty, netty-tcnative fixes the following issues: * CVE-2025-59419: fixed SMTP command injection vulnerability that allowed email forgery (bsc#1252097) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2025-4087=1 * Development Tools Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2025-4087=1 * Development Tools Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2025-4087=1 * SUSE Package Hub 1515-SP6 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-4087=1 * SUSE Package Hub 15 15-SP7 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-4087=1 ## Package List: * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * netty-tcnative-2.0.74-150200.3.33.1 * netty-4.1.128-150200.4.37.1 * openSUSE Leap 15.6 (noarch) * netty-javadoc-4.1.128-150200.4.37.1 * netty-tcnative-javadoc-2.0.74-150200.3.33.1 * Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64) * netty-tcnative-2.0.74-150200.3.33.1 * Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64) * netty-tcnative-2.0.74-150200.3.33.1 * netty-tcnative-debugsource-2.0.74-150200.3.33.1 * SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64) * netty-4.1.128-150200.4.37.1 * SUSE Package Hub 15 15-SP6 (noarch) * netty-javadoc-4.1.128-150200.4.37.1 * SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64) * netty-4.1.128-150200.4.37.1 * SUSE Package Hub 15 15-SP7 (noarch) * netty-javadoc-4.1.128-150200.4.37.1 ## References: * https://www.suse.com/security/cve/CVE-2025-59419.html * https://bugzilla.suse.com/show_bug.cgi?id=1252097 . Security update for openSUSE addresses a moderate SMTP command injection issue in netty and netty-tcnative.. openSUSE security update, netty command injection, netty-tcnative fix. . LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.