[Git][java-team/netty][fix-cve-2025-55163] WIP: rework CVE-2025-55163 backport
Bastien Roucariès (@rouca)
gitlab at salsa.debian.org
Sun Nov 9 10:32:12 GMT 2025
Bastien Roucariès pushed to branch fix-cve-2025-55163 at Debian Java Maintainers / netty
Commits:
d1bdd131 by Julien Plissonneau Duquène at 2025-11-09T11:31:53+01:00
WIP: rework CVE-2025-55163 backport
- - - - -
5 changed files:
- debian/patches/CVE-2025-55163_1.patch
- debian/patches/CVE-2025-55163_2.patch
- + debian/patches/CVE-2025-55163_before-1.patch
- debian/patches/CVE-2025-59419
- debian/patches/series
Changes:
=====================================
debian/patches/CVE-2025-55163_1.patch
=====================================
@@ -29,11 +29,9 @@ bug-github-pull: https://github.com/netty/netty/pull/15516
.../codec/http2/Http2ConnectionHandlerTest.java | 22 +++++++++++-----------
2 files changed, 14 insertions(+), 14 deletions(-)
-diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2ConnectionHandler.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2ConnectionHandler.java
-index 909ca74..0dd73cb 100644
--- a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2ConnectionHandler.java
+++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2ConnectionHandler.java
-@@ -706,7 +706,7 @@ public class Http2ConnectionHandler extends ByteToMessageDecoder implements Http
+@@ -706,7 +706,7 @@
try {
stream = encoder.connection().remote().createStream(streamId, true);
} catch (Http2Exception e) {
@@ -42,7 +40,7 @@ index 909ca74..0dd73cb 100644
return;
}
}
-@@ -723,10 +723,10 @@ public class Http2ConnectionHandler extends ByteToMessageDecoder implements Http
+@@ -723,10 +723,10 @@
if (stream == null) {
if (!outbound || connection().local().mayHaveCreatedStream(streamId)) {
@@ -55,11 +53,9 @@ index 909ca74..0dd73cb 100644
}
}
-diff --git a/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2ConnectionHandlerTest.java b/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2ConnectionHandlerTest.java
-index 0143edc..90b0ef6 100644
--- a/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2ConnectionHandlerTest.java
+++ b/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2ConnectionHandlerTest.java
-@@ -403,7 +403,7 @@ public class Http2ConnectionHandlerTest {
+@@ -403,7 +403,7 @@
when(connection.isServer()).thenReturn(true);
when(stream.isHeadersSent()).thenReturn(false);
when(remote.lastStreamCreated()).thenReturn(STREAM_ID);
@@ -68,7 +64,7 @@ index 0143edc..90b0ef6 100644
eq(PROTOCOL_ERROR.code()), eq(promise))).thenReturn(future);
handler.exceptionCaught(ctx, e);
-@@ -413,7 +413,7 @@ public class Http2ConnectionHandlerTest {
+@@ -413,7 +413,7 @@
captor.capture(), eq(padding), eq(true), eq(promise));
Http2Headers headers = captor.getValue();
assertEquals(HttpResponseStatus.REQUEST_HEADER_FIELDS_TOO_LARGE.codeAsText(), headers.status());
@@ -77,7 +73,7 @@ index 0143edc..90b0ef6 100644
}
@Test
-@@ -427,14 +427,14 @@ public class Http2ConnectionHandlerTest {
+@@ -427,14 +427,14 @@
when(connection.isServer()).thenReturn(true);
when(stream.isHeadersSent()).thenReturn(false);
when(remote.lastStreamCreated()).thenReturn(STREAM_ID);
@@ -94,7 +90,7 @@ index 0143edc..90b0ef6 100644
}
@Test
-@@ -448,14 +448,14 @@ public class Http2ConnectionHandlerTest {
+@@ -448,14 +448,14 @@
when(connection.isServer()).thenReturn(false);
when(stream.isHeadersSent()).thenReturn(false);
when(remote.lastStreamCreated()).thenReturn(STREAM_ID);
@@ -111,7 +107,7 @@ index 0143edc..90b0ef6 100644
}
@Test
-@@ -484,14 +484,14 @@ public class Http2ConnectionHandlerTest {
+@@ -484,14 +484,14 @@
when(connection.isServer()).thenReturn(true);
when(stream.isHeadersSent()).thenReturn(true);
when(remote.lastStreamCreated()).thenReturn(STREAM_ID);
@@ -128,7 +124,7 @@ index 0143edc..90b0ef6 100644
}
@Test
-@@ -508,15 +508,15 @@ public class Http2ConnectionHandlerTest {
+@@ -508,15 +508,15 @@
when(connection.isServer()).thenReturn(true);
when(stream.isHeadersSent()).thenReturn(false);
when(remote.lastStreamCreated()).thenReturn(STREAM_ID);
=====================================
debian/patches/CVE-2025-55163_2.patch
=====================================
@@ -23,39 +23,40 @@ Fix high resource usage that can be caused by a remote peer by trigger RST frame
origin: backport, https://github.com/netty/netty/commit/009bd17b38a39fb1eecf9d22ea8ae8108afaac59
bug: https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4
---
- .../AbstractHttp2ConnectionHandlerBuilder.java | 56 +++++-
+ .../AbstractHttp2ConnectionHandlerBuilder.java | 54 +++++-
.../codec/http2/Http2ConnectionHandlerBuilder.java | 8 +
.../codec/http2/Http2FrameCodecBuilder.java | 6 +
+ .../codec/http2/Http2MaxRstFrameLimitEncoder.java | 85 ++++++++
.../codec/http2/Http2MultiplexCodecBuilder.java | 6 +
.../http2/Http2MaxRstFrameLimitEncoderTest.java | 213 +++++++++++++++++++++
- 5 files changed, 282 insertions(+), 7 deletions(-)
+ 6 files changed, 367 insertions(+), 5 deletions(-)
+ create mode 100644 codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameLimitEncoder.java
create mode 100644 codec-http2/src/test/java/io/netty/handler/codec/http2/Http2MaxRstFrameLimitEncoderTest.java
diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java
-index a904310..157739d 100644
+index fc70dfe..572da55 100644
--- a/codec-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java
+++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java
-@@ -109,9 +109,10 @@ public abstract class AbstractHttp2ConnectionHandlerBuilder<T extends Http2Conne
- private boolean autoAckPingFrame = true;
+@@ -112,7 +112,10 @@ public abstract class AbstractHttp2ConnectionHandlerBuilder<T extends Http2Conne
private int maxQueuedControlFrames = Http2CodecUtil.DEFAULT_MAX_QUEUED_CONTROL_FRAMES;
private int maxConsecutiveEmptyFrames = 2;
-- private int maxRstFramesPerWindow = 200;
+ private Integer maxRstFramesPerWindow;
- private int secondsPerWindow = 30;
--
+ private Integer maxDecodedRstFramesPerWindow;
+ private int maxDecodedRstFramesSecondsPerWindow = 30;
+ private Integer maxEncodedRstFramesPerWindow;
+ private int maxEncodedRstFramesSecondsPerWindow = 30;
+
/**
* Sets the {@link Http2Settings} to use for the initial connection settings exchange.
- */
-@@ -444,9 +445,24 @@ public abstract class AbstractHttp2ConnectionHandlerBuilder<T extends Http2Conne
+@@ -446,9 +449,24 @@ public abstract class AbstractHttp2ConnectionHandlerBuilder<T extends Http2Conne
*/
protected B decoderEnforceMaxRstFramesPerWindow(int maxRstFramesPerWindow, int secondsPerWindow) {
enforceNonCodecConstraints("decoderEnforceMaxRstFramesPerWindow");
- this.maxRstFramesPerWindow = checkPositiveOrZero(
+ this.maxDecodedRstFramesPerWindow = checkPositiveOrZero(
-+ maxRstFramesPerWindow, "maxRstFramesPerWindow");
+ maxRstFramesPerWindow, "maxRstFramesPerWindow");
+- this.secondsPerWindow = checkPositiveOrZero(secondsPerWindow, "secondsPerWindow");
+ this.maxDecodedRstFramesSecondsPerWindow = checkPositiveOrZero(secondsPerWindow, "secondsPerWindow");
+ return self();
+ }
@@ -70,13 +71,12 @@ index a904310..157739d 100644
+ protected B encoderEnforceMaxRstFramesPerWindow(int maxRstFramesPerWindow, int secondsPerWindow) {
+ enforceNonCodecConstraints("decoderEnforceMaxRstFramesPerWindow");
+ this.maxEncodedRstFramesPerWindow = checkPositiveOrZero(
- maxRstFramesPerWindow, "maxRstFramesPerWindow");
-- this.secondsPerWindow = checkPositiveOrZero(secondsPerWindow, "secondsPerWindow");
++ maxRstFramesPerWindow, "maxRstFramesPerWindow");
+ this.maxEncodedRstFramesSecondsPerWindow = checkPositiveOrZero(secondsPerWindow, "secondsPerWindow");
return self();
}
-@@ -541,6 +557,21 @@ public abstract class AbstractHttp2ConnectionHandlerBuilder<T extends Http2Conne
+@@ -543,6 +561,21 @@ public abstract class AbstractHttp2ConnectionHandlerBuilder<T extends Http2Conne
if (maxQueuedControlFrames != 0) {
encoder = new Http2ControlFrameLimitEncoder(encoder, maxQueuedControlFrames);
}
@@ -98,12 +98,12 @@ index a904310..157739d 100644
if (encoderEnforceMaxConcurrentStreams) {
if (connection.isServer()) {
encoder.close();
-@@ -562,8 +593,19 @@ public abstract class AbstractHttp2ConnectionHandlerBuilder<T extends Http2Conne
- if (maxConsecutiveEmptyDataFrames > 0) {
- decoder = new Http2EmptyDataFrameConnectionDecoder(decoder, maxConsecutiveEmptyDataFrames);
+@@ -575,8 +608,19 @@ public abstract class AbstractHttp2ConnectionHandlerBuilder<T extends Http2Conne
+ } else {
+ maxRstFrames = maxRstFramesPerWindow;
}
-- if (maxRstFramesPerWindow > 0 && secondsPerWindow > 0) {
-- decoder = new Http2MaxRstFrameDecoder(decoder, maxRstFramesPerWindow, secondsPerWindow);
+- if (maxRstFrames > 0 && secondsPerWindow > 0) {
+- decoder = new Http2MaxRstFrameDecoder(decoder, maxRstFrames, secondsPerWindow);
+ final int maxDecodedRstFrames;
+ if (maxDecodedRstFramesPerWindow == null) {
+ // Only enable by default on the server.
@@ -147,11 +147,11 @@ index c6d1ce7..1d2ac71 100644
public Http2ConnectionHandler build() {
return super.build();
diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2FrameCodecBuilder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2FrameCodecBuilder.java
-index 241c9c5..b73413f 100644
+index ab183e5..ef0cffe 100644
--- a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2FrameCodecBuilder.java
+++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2FrameCodecBuilder.java
@@ -183,6 +183,12 @@ public class Http2FrameCodecBuilder extends
- return super.decoderEnforceMaxRstFramesPerWindow(maxConsecutiveEmptyFrames, secondsPerWindow);
+ return super.decoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
}
+ @Override
@@ -163,12 +163,103 @@ index 241c9c5..b73413f 100644
/**
* Build a {@link Http2FrameCodec} object.
*/
+diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameLimitEncoder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameLimitEncoder.java
+new file mode 100644
+index 0000000..a36b3d7
+--- /dev/null
++++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameLimitEncoder.java
+@@ -0,0 +1,85 @@
++/*
++ * Copyright 2025 The Netty Project
++ *
++ * The Netty Project licenses this file to you under the Apache License, version 2.0 (the
++ * "License"); you may not use this file except in compliance with the License. You may obtain a
++ * copy of the License at:
++ *
++ * https://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software distributed under the License
++ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
++ * or implied. See the License for the specific language governing permissions and limitations under
++ * the License.
++ */
++package io.netty.handler.codec.http2;
++
++import io.netty.channel.ChannelFuture;
++import io.netty.channel.ChannelHandlerContext;
++import io.netty.channel.ChannelPromise;
++import io.netty.util.internal.logging.InternalLogger;
++import io.netty.util.internal.logging.InternalLoggerFactory;
++
++import java.util.concurrent.TimeUnit;
++
++/**
++ * {@link DecoratingHttp2ConnectionEncoder} which guards against a remote peer that will trigger a massive amount
++ * of RST frames on an existing connection.
++ * This encoder will tear-down the connection once we reached the configured limit to reduce the risk of DDOS.
++ */
++final class Http2MaxRstFrameLimitEncoder extends DecoratingHttp2ConnectionEncoder {
++ private static final InternalLogger logger = InternalLoggerFactory.getInstance(Http2MaxRstFrameLimitEncoder.class);
++
++ private final long nanosPerWindow;
++ private final int maxRstFramesPerWindow;
++ private long lastRstFrameNano = System.nanoTime();
++ private int sendRstInWindow;
++ private Http2LifecycleManager lifecycleManager;
++
++ Http2MaxRstFrameLimitEncoder(Http2ConnectionEncoder delegate, int maxRstFramesPerWindow, int secondsPerWindow) {
++ super(delegate);
++ this.maxRstFramesPerWindow = maxRstFramesPerWindow;
++ this.nanosPerWindow = TimeUnit.SECONDS.toNanos(secondsPerWindow);
++ }
++
++ @Override
++ public void lifecycleManager(Http2LifecycleManager lifecycleManager) {
++ this.lifecycleManager = lifecycleManager;
++ super.lifecycleManager(lifecycleManager);
++ }
++
++ @Override
++ public ChannelFuture writeRstStream(ChannelHandlerContext ctx, int streamId, long errorCode,
++ ChannelPromise promise) {
++ ChannelFuture future = super.writeRstStream(ctx, streamId, errorCode, promise);
++ if (countRstFrameErrorCode(errorCode)) {
++ long currentNano = System.nanoTime();
++ if (currentNano - lastRstFrameNano >= nanosPerWindow) {
++ lastRstFrameNano = currentNano;
++ sendRstInWindow = 1;
++ } else {
++ sendRstInWindow++;
++ if (sendRstInWindow > maxRstFramesPerWindow) {
++ Http2Exception exception = Http2Exception.connectionError(Http2Error.ENHANCE_YOUR_CALM,
++ "Maximum number %d of RST frames frames reached within %d seconds", maxRstFramesPerWindow,
++ TimeUnit.NANOSECONDS.toSeconds(nanosPerWindow));
++
++ logger.debug("{} Maximum number {} of RST frames reached within {} seconds, " +
++ "closing connection with {} error", ctx.channel(), maxRstFramesPerWindow,
++ TimeUnit.NANOSECONDS.toSeconds(nanosPerWindow), exception.error(),
++ exception);
++ // First notify the Http2LifecycleManager and then close the connection.
++ lifecycleManager.onError(ctx, true, exception);
++ ctx.close();
++ }
++ }
++ }
++
++ return future;
++ }
++
++ private boolean countRstFrameErrorCode(long errorCode) {
++ // Don't count CANCEL and NO_ERROR as these might be ok.
++ return errorCode != Http2Error.CANCEL.code() && errorCode != Http2Error.NO_ERROR.code();
++ }
++}
diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MultiplexCodecBuilder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MultiplexCodecBuilder.java
-index a3c0bed..34fa5e8 100644
+index 0a38d4e..da097ec 100644
--- a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MultiplexCodecBuilder.java
+++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MultiplexCodecBuilder.java
@@ -212,6 +212,12 @@ public class Http2MultiplexCodecBuilder
- return super.decoderEnforceMaxRstFramesPerWindow(maxConsecutiveEmptyFrames, secondsPerWindow);
+ return super.decoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
}
+ @Override
=====================================
debian/patches/CVE-2025-55163_before-1.patch
=====================================
@@ -0,0 +1,91 @@
+commit 9b80d081ff3478c46152b012ae0e21f939467ac3
+Author: Norman Maurer <norman_maurer at apple.com>
+Date: Sat Oct 28 20:49:44 2023 +0200
+
+Only enable the RST limit for servers by default (#13671)
+
+Motivation:
+
+We dont need to limit the number of RST frames per connection when we
+are bulding a codec for the client side.
+
+Modifications:
+
+Dont limit the numbers of RST frames per connection when building a
+codec for the client side.
+
+Result:
+
+Only add limit where needed
+
+origin: backport, https://github.com/netty/netty/commit/9b80d081ff3478c46152b012ae0e21f939467ac3
+bug-github-pull: https://github.com/netty/netty/pull/13671
+
+--- a/codec-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java
++++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java
+@@ -78,6 +78,8 @@
+
+ private static final SensitivityDetector DEFAULT_HEADER_SENSITIVITY_DETECTOR = Http2HeadersEncoder.NEVER_SENSITIVE;
+
++ private static final int DEFAULT_MAX_RST_FRAMES_PER_CONNECTION_FOR_SERVER = 200;
++
+ // The properties that can always be set.
+ private Http2Settings initialSettings = Http2Settings.defaultSettings();
+ private Http2FrameListener frameListener;
+@@ -109,7 +111,7 @@
+ private boolean autoAckPingFrame = true;
+ private int maxQueuedControlFrames = Http2CodecUtil.DEFAULT_MAX_QUEUED_CONTROL_FRAMES;
+ private int maxConsecutiveEmptyFrames = 2;
+- private int maxRstFramesPerWindow = 200;
++ private Integer maxRstFramesPerWindow;
+ private int secondsPerWindow = 30;
+
+ /**
+@@ -562,8 +564,19 @@
+ if (maxConsecutiveEmptyDataFrames > 0) {
+ decoder = new Http2EmptyDataFrameConnectionDecoder(decoder, maxConsecutiveEmptyDataFrames);
+ }
+- if (maxRstFramesPerWindow > 0 && secondsPerWindow > 0) {
+- decoder = new Http2MaxRstFrameDecoder(decoder, maxRstFramesPerWindow, secondsPerWindow);
++ final int maxRstFrames;
++ if (maxRstFramesPerWindow == null) {
++ // Only enable by default on the server.
++ if (isServer()) {
++ maxRstFrames = DEFAULT_MAX_RST_FRAMES_PER_CONNECTION_FOR_SERVER;
++ } else {
++ maxRstFrames = 0;
++ }
++ } else {
++ maxRstFrames = maxRstFramesPerWindow;
++ }
++ if (maxRstFrames > 0 && secondsPerWindow > 0) {
++ decoder = new Http2MaxRstFrameDecoder(decoder, maxRstFrames, secondsPerWindow);
+ }
+ final T handler;
+ try {
+--- a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2FrameCodecBuilder.java
++++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2FrameCodecBuilder.java
+@@ -179,8 +179,8 @@
+
+ @Override
+ public Http2FrameCodecBuilder decoderEnforceMaxRstFramesPerWindow(
+- int maxConsecutiveEmptyFrames, int secondsPerWindow) {
+- return super.decoderEnforceMaxRstFramesPerWindow(maxConsecutiveEmptyFrames, secondsPerWindow);
++ int maxRstFramesPerWindow, int secondsPerWindow) {
++ return super.decoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
+ }
+
+ /**
+--- a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MultiplexCodecBuilder.java
++++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MultiplexCodecBuilder.java
+@@ -208,8 +208,8 @@
+
+ @Override
+ public Http2MultiplexCodecBuilder decoderEnforceMaxRstFramesPerWindow(
+- int maxConsecutiveEmptyFrames, int secondsPerWindow) {
+- return super.decoderEnforceMaxRstFramesPerWindow(maxConsecutiveEmptyFrames, secondsPerWindow);
++ int maxRstFramesPerWindow, int secondsPerWindow) {
++ return super.decoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
+ }
+
+ @Override
=====================================
debian/patches/CVE-2025-59419
=====================================
@@ -32,11 +32,9 @@ bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118282
3 files changed, 119 insertions(+)
create mode 100644 codec-smtp/src/test/java/io/netty/handler/codec/smtp/SmtpRequestsTest.java
-diff --git a/codec-smtp/src/main/java/io/netty/handler/codec/smtp/DefaultSmtpRequest.java b/codec-smtp/src/main/java/io/netty/handler/codec/smtp/DefaultSmtpRequest.java
-index 8f4d697..ae6acb4 100644
--- a/codec-smtp/src/main/java/io/netty/handler/codec/smtp/DefaultSmtpRequest.java
+++ b/codec-smtp/src/main/java/io/netty/handler/codec/smtp/DefaultSmtpRequest.java
-@@ -43,6 +43,7 @@ public final class DefaultSmtpRequest implements SmtpRequest {
+@@ -43,6 +43,7 @@
*/
public DefaultSmtpRequest(SmtpCommand command, CharSequence... parameters) {
this.command = ObjectUtil.checkNotNull(command, "command");
@@ -44,7 +42,7 @@ index 8f4d697..ae6acb4 100644
this.parameters = SmtpUtils.toUnmodifiableList(parameters);
}
-@@ -55,6 +56,7 @@ public final class DefaultSmtpRequest implements SmtpRequest {
+@@ -55,6 +56,7 @@
DefaultSmtpRequest(SmtpCommand command, List<CharSequence> parameters) {
this.command = ObjectUtil.checkNotNull(command, "command");
@@ -52,11 +50,9 @@ index 8f4d697..ae6acb4 100644
this.parameters = parameters != null ?
Collections.unmodifiableList(parameters) : Collections.<CharSequence>emptyList();
}
-diff --git a/codec-smtp/src/main/java/io/netty/handler/codec/smtp/SmtpUtils.java b/codec-smtp/src/main/java/io/netty/handler/codec/smtp/SmtpUtils.java
-index a2b84ea..6b84dc1 100644
--- a/codec-smtp/src/main/java/io/netty/handler/codec/smtp/SmtpUtils.java
+++ b/codec-smtp/src/main/java/io/netty/handler/codec/smtp/SmtpUtils.java
-@@ -28,5 +28,49 @@ final class SmtpUtils {
+@@ -28,5 +28,49 @@
return Collections.unmodifiableList(Arrays.asList(sequences));
}
@@ -106,9 +102,6 @@ index a2b84ea..6b84dc1 100644
+
private SmtpUtils() { }
}
-diff --git a/codec-smtp/src/test/java/io/netty/handler/codec/smtp/SmtpRequestsTest.java b/codec-smtp/src/test/java/io/netty/handler/codec/smtp/SmtpRequestsTest.java
-new file mode 100644
-index 0000000..f7b5b6a
--- /dev/null
+++ b/codec-smtp/src/test/java/io/netty/handler/codec/smtp/SmtpRequestsTest.java
@@ -0,0 +1,73 @@
=====================================
debian/patches/series
=====================================
@@ -26,5 +26,6 @@ CVE-2023-44487.patch
22-java-21.patch
CVE-2024-29025.patch
CVE-2025-59419
+CVE-2025-55163_before-1.patch
CVE-2025-55163_1.patch
CVE-2025-55163_2.patch
View it on GitLab: https://salsa.debian.org/java-team/netty/-/commit/d1bdd1317e117a2c86f3732fef33b589fb0b5e3f
--
View it on GitLab: https://salsa.debian.org/java-team/netty/-/commit/d1bdd1317e117a2c86f3732fef33b589fb0b5e3f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20251109/ccd26a5a/attachment.htm>
More information about the pkg-java-commits
mailing list