4.1.126

OBS-URL: https://build.opensuse.org/package/show/Java:packages/netty?expand=0&rev=66

0001-Remove-optional-dep-Blockhound.patch

@@ -1,4 +1,4 @@
-From 2caba3146e0ff279db66cd8362c06efdeac0d48e Mon Sep 17 00:00:00 2001
+From 36ea49fb9506d63fa4198b30b22bc33adc9c74d7 Mon Sep 17 00:00:00 2001
 From: Mat Booth <mat.booth@redhat.com>
 Date: Mon, 7 Sep 2020 12:17:31 +0100
 Subject: [PATCH 1/4] Remove optional dep Blockhound
@@ -23,7 +23,7 @@ Subject: [PATCH 1/4] Remove optional dep Blockhound
  delete mode 100644 transport-blockhound-tests/src/test/resources/io/netty/util/internal/mutual_auth_ca.pem
 
 diff --git a/common/pom.xml b/common/pom.xml
-index 66e719e183..77452afbac 100644
+index a70b4f3b18..eb83e339af 100644
 --- a/common/pom.xml
 +++ b/common/pom.xml
 @@ -82,11 +82,6 @@
@@ -266,7 +266,7 @@ index e33bea796c..0000000000
 -io.netty.util.internal.Hidden$NettyBlockHoundIntegration
 \ No newline at end of file
 diff --git a/pom.xml b/pom.xml
-index 4f572c5912..6b389326a4 100644
+index 0626fc25ec..5c5b5f8ef4 100644
 --- a/pom.xml
 +++ b/pom.xml
 @@ -839,7 +839,6 @@
@@ -293,7 +293,7 @@ index 4f572c5912..6b389326a4 100644
  
 diff --git a/transport-blockhound-tests/pom.xml b/transport-blockhound-tests/pom.xml
 deleted file mode 100644
-index a48ee58b90..0000000000
+index d63f055214..0000000000
 --- a/transport-blockhound-tests/pom.xml
 +++ /dev/null
 @@ -1,219 +0,0 @@
@@ -319,7 +319,7 @@ index a48ee58b90..0000000000
 -  <parent>
 -    <groupId>io.netty</groupId>
 -    <artifactId>netty-parent</artifactId>
--    <version>4.1.123.Final</version>
+-    <version>4.1.126.Final</version>
 -  </parent>
 -
 -  <artifactId>netty-transport-blockhound-tests</artifactId>
@@ -1173,5 +1173,5 @@ index 9c9241bc65..0000000000
 -hH82y9bBeflqroOeztqMpONpWoZjlz0sWbJNvXztXINL7LaNmVYOcoUrCcxPS54T
 ------END CERTIFICATE-----
 -- 
-2.50.1
+2.51.0
 

0002-Remove-optional-dep-conscrypt.patch

@@ -1,4 +1,4 @@
-From 8f4108d30a1a883b60bc944165ab1ecd91792d2e Mon Sep 17 00:00:00 2001
+From cfbe0ed5d7f2d0571b70213f07f3a414aff674e0 Mon Sep 17 00:00:00 2001
 From: Mat Booth <mat.booth@redhat.com>
 Date: Mon, 7 Sep 2020 13:24:30 +0100
 Subject: [PATCH 2/4] Remove optional dep conscrypt
@@ -7,15 +7,15 @@ Subject: [PATCH 2/4] Remove optional dep conscrypt
  handler/pom.xml                               |   6 -
  .../java/io/netty/handler/ssl/Conscrypt.java  |  75 -------
  .../handler/ssl/ConscryptAlpnSslEngine.java   | 212 ------------------
- .../JdkAlpnApplicationProtocolNegotiator.java |  11 +-
+ .../JdkAlpnApplicationProtocolNegotiator.java |   8 +-
  .../java/io/netty/handler/ssl/SslHandler.java |  52 +----
  pom.xml                                       |  10 -
- 6 files changed, 2 insertions(+), 364 deletions(-)
+ 6 files changed, 2 insertions(+), 361 deletions(-)
  delete mode 100644 handler/src/main/java/io/netty/handler/ssl/Conscrypt.java
  delete mode 100644 handler/src/main/java/io/netty/handler/ssl/ConscryptAlpnSslEngine.java
 
 diff --git a/handler/pom.xml b/handler/pom.xml
-index d13a8b48ed..e8375d6273 100644
+index 3d6bf34da7..4f1f05513d 100644
 --- a/handler/pom.xml
 +++ b/handler/pom.xml
 @@ -96,12 +96,6 @@
@@ -331,10 +331,10 @@ index 917ebaea79..0000000000
 -    }
 -}
 diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkAlpnApplicationProtocolNegotiator.java b/handler/src/main/java/io/netty/handler/ssl/JdkAlpnApplicationProtocolNegotiator.java
-index 9eb8f15d14..b5715e87ff 100644
+index dc3533e95d..92b0bc8b56 100644
 --- a/handler/src/main/java/io/netty/handler/ssl/JdkAlpnApplicationProtocolNegotiator.java
 +++ b/handler/src/main/java/io/netty/handler/ssl/JdkAlpnApplicationProtocolNegotiator.java
-@@ -26,8 +26,7 @@ import javax.net.ssl.SSLEngine;
+@@ -27,8 +27,7 @@ import javax.net.ssl.SSLEngine;
   */
  @Deprecated
  public final class JdkAlpnApplicationProtocolNegotiator extends JdkBaseApplicationProtocolNegotiator {
@@ -342,9 +342,9 @@ index 9eb8f15d14..b5715e87ff 100644
 -                                             JdkAlpnSslUtils.supportsAlpn() ||
 +    private static final boolean AVAILABLE = JdkAlpnSslUtils.supportsAlpn() ||
                                               JettyAlpnSslEngine.isAvailable() ||
-                                              BouncyCastle.isAvailable();
+                                              BouncyCastleUtil.isBcTlsAvailable();
  
-@@ -120,7 +119,6 @@ public final class JdkAlpnApplicationProtocolNegotiator extends JdkBaseApplicati
+@@ -121,7 +120,6 @@ public final class JdkAlpnApplicationProtocolNegotiator extends JdkBaseApplicati
          public SSLEngine wrapSslEngine(SSLEngine engine, ByteBufAllocator alloc,
                                         JdkApplicationProtocolNegotiator applicationNegotiator, boolean isServer) {
              throw new RuntimeException("ALPN unsupported. Is your classpath configured correctly?"
@@ -352,7 +352,7 @@ index 9eb8f15d14..b5715e87ff 100644
                      + " For Jetty-ALPN, see "
                      + "https://www.eclipse.org/jetty/documentation/current/alpn-chapter.html#alpn-starting");
          }
-@@ -130,13 +128,6 @@ public final class JdkAlpnApplicationProtocolNegotiator extends JdkBaseApplicati
+@@ -131,10 +129,6 @@ public final class JdkAlpnApplicationProtocolNegotiator extends JdkBaseApplicati
          @Override
          public SSLEngine wrapSslEngine(SSLEngine engine, ByteBufAllocator alloc,
                                         JdkApplicationProtocolNegotiator applicationNegotiator, boolean isServer) {
@@ -360,12 +360,9 @@ index 9eb8f15d14..b5715e87ff 100644
 -                return isServer ? ConscryptAlpnSslEngine.newServerEngine(engine, alloc, applicationNegotiator)
 -                        : ConscryptAlpnSslEngine.newClientEngine(engine, alloc, applicationNegotiator);
 -            }
--            if (BouncyCastle.isInUse(engine)) {
--                return new BouncyCastleAlpnSslEngine(engine, applicationNegotiator, isServer);
--            }
-             // ALPN support was recently backported to Java8 as
-             // https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8230977.
-             // Because of this lets not do a Java version runtime check but just depend on if the required methods are
+             if (BouncyCastleUtil.isBcJsseInUse(engine)) {
+                 return new BouncyCastleAlpnSslEngine(engine, applicationNegotiator, isServer);
+             }
 diff --git a/handler/src/main/java/io/netty/handler/ssl/SslHandler.java b/handler/src/main/java/io/netty/handler/ssl/SslHandler.java
 index f80b3004a8..6159b87ca2 100644
 --- a/handler/src/main/java/io/netty/handler/ssl/SslHandler.java
@@ -437,7 +434,7 @@ index f80b3004a8..6159b87ca2 100644
  
          SslEngineType(boolean wantsDirectBuffer, Cumulator cumulator) {
 diff --git a/pom.xml b/pom.xml
-index 6b389326a4..e3d8295642 100644
+index 5c5b5f8ef4..170736db51 100644
 --- a/pom.xml
 +++ b/pom.xml
 @@ -918,16 +918,6 @@
@@ -458,5 +455,5 @@ index 6b389326a4..e3d8295642 100644
        <dependency>
          <groupId>software.amazon.cryptools</groupId>
 -- 
-2.50.1
+2.51.0
 

0003-Remove-optional-deps-jetty-alpn-and-npn.patch

@@ -1,4 +1,4 @@
-From 80592dee40e6b80b630c5931e4e76d0bbe7e9cfd Mon Sep 17 00:00:00 2001
+From 6be7812aeb2313bbf0fba49f353d9941de26b897 Mon Sep 17 00:00:00 2001
 From: Mat Booth <mat.booth@redhat.com>
 Date: Mon, 7 Sep 2020 13:26:20 +0100
 Subject: [PATCH 3/4] Remove optional deps jetty alpn and npn
@@ -15,7 +15,7 @@ Subject: [PATCH 3/4] Remove optional deps jetty alpn and npn
  delete mode 100644 handler/src/main/java/io/netty/handler/ssl/JettyNpnSslEngine.java
 
 diff --git a/handler/pom.xml b/handler/pom.xml
-index e8375d6273..6b9a3dd5f7 100644
+index 4f1f05513d..2a1556277c 100644
 --- a/handler/pom.xml
 +++ b/handler/pom.xml
 @@ -86,16 +86,6 @@
@@ -36,18 +36,18 @@ index e8375d6273..6b9a3dd5f7 100644
        <groupId>org.mockito</groupId>
        <artifactId>mockito-core</artifactId>
 diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkAlpnApplicationProtocolNegotiator.java b/handler/src/main/java/io/netty/handler/ssl/JdkAlpnApplicationProtocolNegotiator.java
-index b5715e87ff..df87f0f43a 100644
+index 92b0bc8b56..f0db866388 100644
 --- a/handler/src/main/java/io/netty/handler/ssl/JdkAlpnApplicationProtocolNegotiator.java
 +++ b/handler/src/main/java/io/netty/handler/ssl/JdkAlpnApplicationProtocolNegotiator.java
-@@ -27,7 +27,6 @@ import javax.net.ssl.SSLEngine;
+@@ -28,7 +28,6 @@ import javax.net.ssl.SSLEngine;
  @Deprecated
  public final class JdkAlpnApplicationProtocolNegotiator extends JdkBaseApplicationProtocolNegotiator {
      private static final boolean AVAILABLE = JdkAlpnSslUtils.supportsAlpn() ||
 -                                             JettyAlpnSslEngine.isAvailable() ||
-                                              BouncyCastle.isAvailable();
+                                              BouncyCastleUtil.isBcTlsAvailable();
  
      private static final SslEngineWrapperFactory ALPN_WRAPPER = AVAILABLE ? new AlpnWrapper() : new FailureWrapper();
-@@ -135,10 +134,6 @@ public final class JdkAlpnApplicationProtocolNegotiator extends JdkBaseApplicati
+@@ -139,10 +138,6 @@ public final class JdkAlpnApplicationProtocolNegotiator extends JdkBaseApplicati
              if (JdkAlpnSslUtils.supportsAlpn()) {
                  return new JdkAlpnSslEngine(engine, applicationNegotiator, isServer);
              }
@@ -374,7 +374,7 @@ index aad00b5f6d..0000000000
 -    }
 -}
 diff --git a/pom.xml b/pom.xml
-index e3d8295642..e6759f0794 100644
+index 170736db51..9add346f6b 100644
 --- a/pom.xml
 +++ b/pom.xml
 @@ -875,20 +875,6 @@
@@ -399,5 +399,5 @@ index e3d8295642..e6759f0794 100644
        <dependency>
          <groupId>com.google.protobuf</groupId>
 -- 
-2.50.1
+2.51.0
 

0004-Disable-Brotli-and-ZStd-compression.patch

@@ -1,4 +1,4 @@
-From e93d8f3b39a67d1726304d8fe29f5ca8584d60e0 Mon Sep 17 00:00:00 2001
+From 8445a1513bc95a49a5ab9e89084cd3bf3ca0dd40 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fridrich=20=C5=A0trba?= <fridrich.strba@bluewin.ch>
 Date: Thu, 30 Mar 2023 13:19:04 +0200
 Subject: [PATCH 4/4] Disable Brotli and ZStd compression
@@ -370,11 +370,11 @@ index b12213dff6..fdeadaebbe 100644
          return null;
      }
 diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java
-index 4c25f0adb7..3e3cdddeb4 100644
+index 73e497ccb8..56a2a93677 100644
 --- a/codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java
 +++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/DelegatingDecompressorFrameListener.java
-@@ -19,24 +19,16 @@ import io.netty.buffer.Unpooled;
- import io.netty.channel.ChannelHandlerContext;
+@@ -20,24 +20,16 @@ import io.netty.channel.ChannelHandlerContext;
+ import io.netty.channel.ChannelInboundHandlerAdapter;
  import io.netty.channel.embedded.EmbeddedChannel;
  import io.netty.handler.codec.ByteToMessageDecoder;
 -import io.netty.handler.codec.compression.Brotli;
@@ -398,7 +398,7 @@ index 4c25f0adb7..3e3cdddeb4 100644
  import static io.netty.handler.codec.http2.Http2Error.INTERNAL_ERROR;
  import static io.netty.handler.codec.http2.Http2Exception.streamError;
  import static io.netty.util.internal.ObjectUtil.checkNotNull;
-@@ -233,18 +225,6 @@ public class DelegatingDecompressorFrameListener extends Http2FrameListenerDecor
+@@ -175,18 +167,6 @@ public class DelegatingDecompressorFrameListener extends Http2FrameListenerDecor
              return new EmbeddedChannel(ctx.channel().id(), ctx.channel().metadata().hasDisconnect(),
                      ctx.channel().config(), ZlibCodecFactory.newZlibDecoder(wrapper, maxAllocation));
          }
@@ -509,5 +509,5 @@ index 38793a97e6..c1f1c8c17c 100644
       * Default implementation of {@link GzipOptions} with
       * {@code compressionLevel()} set to 6, {@code windowBits()} set to 15 and {@code memLevel()} set to 8.
 -- 
-2.50.1
+2.51.0
 

netty.changes

@@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Thu Sep  4 13:02:53 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade to upstream version 4.1.126
+  * Fixes
+    + Decompression codecs vulnerable to DoS via zip bomb style
+      attack (bsc#1249134, CVE-2025-58057)
+    + Request smuggling due to incorrect parsing of chunk extensions
+      (bsc#1249116, CVE-2025-58056)
+    + Fix IllegalReferenceCountException on invalid upgrade response
+    + Drop unknown frame on missing stream
+    + Don't try to handle incomplete upgrade request
+    + Make org.graalvm.nativeimage:svm optional in netty-common
+- Modified patches:
+  * 0001-Remove-optional-dep-Blockhound.patch
+  * 0002-Remove-optional-dep-conscrypt.patch
+  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
+  * 0004-Disable-Brotli-and-ZStd-compression.patch
+    + rediff
+
+-------------------------------------------------------------------
+Fri Aug 22 05:25:09 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade to upstream version 4.1.124
+  * Fixes
+    + MadeYouReset HTTP/2 DDoS vulnerability
+      (CVE-2025-55163, bsc#1247991)
+    + Fix NPE and AssertionErrors when many tasks are scheduled and
+      cancelled
+    + HTTP2: Http2ConnectionHandler should always use
+      Http2ConnectionEncoder
+    + Epoll: Correctly handle UDP packets with source port of 0
+    + Fix netty-common OSGi Import-Package header
+    + MqttConnectPayload.toString() includes password
+- Modified patches:
+  * 0001-Remove-optional-dep-Blockhound.patch
+  * 0002-Remove-optional-dep-conscrypt.patch
+  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
+  * 0004-Disable-Brotli-and-ZStd-compression.patch
+    + rediff
+
 -------------------------------------------------------------------
 Thu Jul 24 18:11:55 UTC 2025 - Fridrich Strba <fstrba@suse.com>
 

netty.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package netty
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
 %global namedreltag .Final
 %global namedversion %{version}%{?namedreltag}
 Name:           netty
-Version:        4.1.123
+Version:        4.1.126
 Release:        0
 Summary:        An asynchronous event-driven network application framework and tools for Java
 License:        Apache-2.0