netty (1:4.0.34-1ubuntu0.1~esm3) xenial-security; urgency=medium

  * SECURITY UPDATE: HTTP request/response smuggling
    - debian/patches/CVE-2025-58056.patch: Enforce stricter parsing of line
      endings in .../http/{HttpObjectDecoder.java, HttpRequestDecoder.java,
      HttpResponseDecoder.java, InvalidChunkExtensionException.java,
      InvalidChunkTerminationException.java,
      InvalidLineSeparatorException.java}, 
      .../internal/AppendableCharSequence.java and add tests to
      .../http/{HttpRequestDecoderTest.java, HttpResponseDecoderTest.java}.
    - CVE-2025-58056

 -- Edwin Jiang <edwin.jiang@canonical.com>  Mon, 08 Dec 2025 19:41:09 +0000

netty (1:4.0.34-1ubuntu0.1~esm2) xenial-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2024-29025.patch: Limit number of fields and
      field size
    - CVE-2024-29025
  * SECURITY UPDATE: Information leak
    - debian/patches/CVE-2022-24823.patch: Add checks for directory
      and permissions
    - CVE-2022-24823

 -- Bruce Cable <bruce.cable@canonical.com>  Fri, 14 Feb 2025 09:00:41 +1100

netty (1:4.0.34-1ubuntu0.1~esm1) xenial-security; urgency=medium

  * Add 06-certificate-verifier-interface-change.patch to match
    CertificateVerifier interface from netty-tcnative.
  * SECURITY UPDATE: Memory buffer out of bounds
    - debian/patches/07-CVE-2020-11612.patch: Allow a limit to be set on the
      decompressed buffer size for ZlibDecoders.
    - CVE-2020-11612
  * SECURITY UPDATE: Information disclosure
    - debian/patches/08-CVE-2021-21290.patch: Use Files.createTempFile to ensure
      files are created with proper permissions.
    - CVE-2021-21290
  * SECURITY UPDATE: Denial of Service
    - debian/patches/09-CVE-2021-37137.patch: Introduce maximum limit for the
      Snappy frame decoder function.
    - CVE-2021-37137

 -- Fabian Toepfer <fabian.toepfer@canonical.com>  Fri, 21 Apr 2023 23:12:09 +0200

netty (1:4.0.34-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Depend on netty-tcnative (>= 1.1.33.Fork11)
  * Build with the DH sequencer instead of CDBS
  * Made the versions.properties embedded in the jar files reproducible

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 31 Jan 2016 23:39:15 +0100

netty (1:4.0.33-1) unstable; urgency=medium

  * Team upload.
  * New upstream release

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 19 Nov 2015 23:37:59 +0100

netty (1:4.0.32-1) unstable; urgency=medium

  * Team upload.
  * New upstream release:
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 03 Oct 2015 01:12:58 +0200

netty (1:4.0.31-1) unstable; urgency=medium

  * Team upload.

  [ Emmanuel Bourg ]
  * New upstream release:
    - Build with maven-debian-helper
    - Fixes CVE-2015-2156 (Closes: #796114)
  * debian/control:
    - Team maintenance by Debian Java Maintainers
    - Standards-Version updated to 3.9.6 (no changes)
    - Removed the deprecated DM-Upload-Allowed field
  * debian/watch: Track the release tags on GitHub
  * Moved the package to Git
  * Switch to debhelper level 9

  [ Charles Plessy ]
  * Updated homepage (debian/control).

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 12 Sep 2015 23:26:11 +0200

netty (1:3.2.6.Final-2) unstable; urgency=low

  * Merge from James Page (thanks!):
  * Enable test suite to support Ubuntu MIR (LP: #913878) (Closes: #658250):
    - d/build.xml: Add extra targets to compile and execute unit tests.
    - d/rules: Add testing dependencies to build classpath.
    - d/control: Added junit4 and libeasymock-java to BDI's and ant-optional
      to BD's.
  * d/orig-tar.sh; Dropped - not used.

 -- Damien Raude-Morvan <drazzib@debian.org>  Sun, 12 Feb 2012 12:43:50 +0100

netty (1:3.2.6.Final-1) unstable; urgency=low

  * New upstream release (Closes: #643832):
    - Update watch file for github.
  * Add myself to Uploaders.
  * Use maven-repo-helper to install jar.
  * Bump to Standards-Version to 3.9.2:
    - Provide a get-orig-source target.
    - Drop Depends on default-jre-headless.
    - Drop XSBC-* fields (Ubuntu specific)
    - Add Homepage field.
    - Add Vcs-* fields.
  * Use debhelper 7 compat level.
  * Fix copyright:
    - now under Apache-2.0 licence.
    - update to DEP-5.
  * Switch to 3.0 (quilt) source format.
  * Add Recommends on logging frameworks.

 -- Damien Raude-Morvan <drazzib@debian.org>  Wed, 23 Nov 2011 21:14:19 +0100

netty (1:3.1.0.CR1-1) unstable; urgency=low

  * Port package to pkg-java based largely on existing Ubuntu package
  * Pull sources from svn to build orig tarball avoiding DFSG non-compliance
  * debian/copyright, debian/README.source: Update to reflect DFSG-compliant
    packaging.

 -- Chris Grzegorczyk <grze@eucalyptus.com>  Thu, 17 Dec 2009 03:12:31 -0800

netty (3.1.0.CR1+dfsg-0ubuntu1) karmic; urgency=low

  * Repackaged orig tarball to avoid shipping sourceless doc/ elements.
  * debian/copyright, debian/README.source: Explain repacking.

 -- Thierry Carrez <thierry.carrez@ubuntu.com>  Wed, 26 Aug 2009 15:13:13 +0200

netty (3.1.0.CR1-0ubuntu1) karmic; urgency=low

  * Initial release. New Eucalyptus dependency.

 -- Thierry Carrez <thierry.carrez@ubuntu.com>  Tue, 21 Jul 2009 16:48:12 +0200
