ELA-1110-1 netty security update

denial of service

2024-06-18
Packagenetty
Version1:4.1.7-2+deb9u5 (stretch)
Related CVEs CVE-2024-29025


Julien Viet discovered that Netty, a Java NIO client/server socket framework, was vulnerable to allocation of resources without limits or throttling due to the accumulation of data in the HttpPostRequestDecoder. This would allow an attacker to cause a denial of service.



For Debian 9 stretch, these problems have been fixed in version 1:4.1.7-2+deb9u5.

We recommend that you upgrade your netty packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.