netty (1:4.1.48-13) [PTS] [DDPO]

OK: VCS matches the version in the archive

Git: https://salsa.debian.org/java-team/netty.git
JSON
Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
The next upload will reset the information from the source package headers.
Branch: master
Path: debian/changelog
Repo size: 3035136
Browser: https://salsa.debian.org/java-team/netty
Last scan: 2025-11-28 02:47:11+00
Next scan: 2025-12-06 12:16:00+00
CI pipeline status: success

Debian changelog in Git:

netty (1:4.1.48-13) unstable; urgency=high

  * Team upload
  * Fix test for junit4 for CVE-2025-58057 improving
    backporting. Thanks to Edwin Jiang.
  * Fix CVE-2025-58056 (Closes: #1113995)
    Netty incorrectly accepts standalone newline
    characters (LF) as a chunk-size line terminator,
    regardless of a preceding carriage return (CR),
    instead of requiring CRLF per HTTP/1.1 standards.
    When combined with reverse proxies that parse LF
    differently (treating it as part of the
    chunk extension), attackers can craft requests
    that the proxy sees as one request but Netty
    processes as two, enabling request smuggling attacks. 

 -- Bastien Roucariès <rouca@debian.org>  Tue, 25 Nov 2025 23:06:00 +0100

This branch is even with tag debian/1%4.1.48-13