diff --git a/CVE-2025-55163.patch b/CVE-2025-55163.patch new file mode 100644 index 0000000000000000000000000000000000000000..82d454e4ae91be42376260763b51c53e93a0b16b --- /dev/null +++ b/CVE-2025-55163.patch @@ -0,0 +1,138 @@ +commit be53dc3c9acd9af2e20d0c3c07cd77115a594cf1 +Author: Norman Maurer +Date: Mon Jul 28 08:25:35 2025 -1000 + + HTTP2: Http2ConnectionHandler should always use Http2ConnectionEncode… (#15518) + + …r (#15516) + + Motivation: + + We sometimes directly used the Http2FrameWriter which is not correct as + someone might have supplied a custom Http2ConnectionEncoder + + Modifications: + + Use Http2ConnectionEncoder when writing RST frames + + Result: + + Don't by-pass Http2ConnectionEncoder + +diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2ConnectionHandler.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2ConnectionHandler.java +index 4e661e865d..61e9cd1213 100644 +--- a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2ConnectionHandler.java ++++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2ConnectionHandler.java +@@ -717,7 +717,7 @@ public class Http2ConnectionHandler extends ByteToMessageDecoder implements Http + try { + stream = encoder.connection().remote().createStream(streamId, true); + } catch (Http2Exception e) { +- resetUnknownStream(ctx, streamId, http2Ex.error().code(), ctx.newPromise()); ++ encoder().writeRstStream(ctx, streamId, http2Ex.error().code(), ctx.newPromise()); + return; + } + } +@@ -734,10 +734,10 @@ public class Http2ConnectionHandler extends ByteToMessageDecoder implements Http + + if (stream == null) { + if (!outbound || connection().local().mayHaveCreatedStream(streamId)) { +- resetUnknownStream(ctx, streamId, http2Ex.error().code(), ctx.newPromise()); ++ encoder().writeRstStream(ctx, streamId, http2Ex.error().code(), ctx.newPromise()); + } + } else { +- resetStream(ctx, stream, http2Ex.error().code(), ctx.newPromise()); ++ encoder().writeRstStream(ctx, streamId, http2Ex.error().code(), ctx.newPromise()); + } + } + +diff --git a/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2ConnectionHandlerTest.java b/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2ConnectionHandlerTest.java +index 9d5a1c463c..4c48e2780d 100644 +--- a/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2ConnectionHandlerTest.java ++++ b/codec-http2/src/test/java/io/netty/handler/codec/http2/Http2ConnectionHandlerTest.java +@@ -421,7 +421,7 @@ public class Http2ConnectionHandlerTest { + when(connection.isServer()).thenReturn(true); + when(stream.isHeadersSent()).thenReturn(false); + when(remote.lastStreamCreated()).thenReturn(STREAM_ID); +- when(frameWriter.writeRstStream(eq(ctx), eq(STREAM_ID), ++ when(encoder.writeRstStream(eq(ctx), eq(STREAM_ID), + eq(PROTOCOL_ERROR.code()), eq(promise))).thenReturn(future); + + handler.exceptionCaught(ctx, e); +@@ -431,7 +431,7 @@ public class Http2ConnectionHandlerTest { + captor.capture(), eq(padding), eq(true), eq(promise)); + Http2Headers headers = captor.getValue(); + assertEquals(HttpResponseStatus.REQUEST_HEADER_FIELDS_TOO_LARGE.codeAsText(), headers.status()); +- verify(frameWriter).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); ++ verify(encoder).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); + } + + @Test +@@ -445,14 +445,14 @@ public class Http2ConnectionHandlerTest { + when(connection.isServer()).thenReturn(true); + when(stream.isHeadersSent()).thenReturn(false); + when(remote.lastStreamCreated()).thenReturn(STREAM_ID); +- when(frameWriter.writeRstStream(eq(ctx), eq(STREAM_ID), ++ when(encoder.writeRstStream(eq(ctx), eq(STREAM_ID), + eq(PROTOCOL_ERROR.code()), eq(promise))).thenReturn(future); + + handler.exceptionCaught(ctx, e); + + verify(encoder, never()).writeHeaders(eq(ctx), eq(STREAM_ID), + any(Http2Headers.class), eq(padding), eq(true), eq(promise)); +- verify(frameWriter).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); ++ verify(encoder).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); + } + + @Test +@@ -466,14 +466,14 @@ public class Http2ConnectionHandlerTest { + when(connection.isServer()).thenReturn(false); + when(stream.isHeadersSent()).thenReturn(false); + when(remote.lastStreamCreated()).thenReturn(STREAM_ID); +- when(frameWriter.writeRstStream(eq(ctx), eq(STREAM_ID), ++ when(encoder.writeRstStream(eq(ctx), eq(STREAM_ID), + eq(PROTOCOL_ERROR.code()), eq(promise))).thenReturn(future); + + handler.exceptionCaught(ctx, e); + + verify(encoder, never()).writeHeaders(eq(ctx), eq(STREAM_ID), + any(Http2Headers.class), eq(padding), eq(true), eq(promise)); +- verify(frameWriter).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); ++ verify(encoder).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); + } + + @Test +@@ -502,14 +502,14 @@ public class Http2ConnectionHandlerTest { + when(connection.isServer()).thenReturn(true); + when(stream.isHeadersSent()).thenReturn(true); + when(remote.lastStreamCreated()).thenReturn(STREAM_ID); +- when(frameWriter.writeRstStream(eq(ctx), eq(STREAM_ID), ++ when(encoder.writeRstStream(eq(ctx), eq(STREAM_ID), + eq(PROTOCOL_ERROR.code()), eq(promise))).thenReturn(future); + handler.exceptionCaught(ctx, e); + + verify(encoder, never()).writeHeaders(eq(ctx), eq(STREAM_ID), + any(Http2Headers.class), eq(padding), eq(true), eq(promise)); + +- verify(frameWriter).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); ++ verify(encoder).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); + } + + @Test +@@ -526,7 +526,7 @@ public class Http2ConnectionHandlerTest { + when(connection.isServer()).thenReturn(true); + when(stream.isHeadersSent()).thenReturn(false); + when(remote.lastStreamCreated()).thenReturn(STREAM_ID); +- when(frameWriter.writeRstStream(eq(ctx), eq(STREAM_ID), ++ when(encoder.writeRstStream(eq(ctx), eq(STREAM_ID), + eq(PROTOCOL_ERROR.code()), eq(promise))).thenReturn(future); + handler.exceptionCaught(ctx, e); + +@@ -534,7 +534,7 @@ public class Http2ConnectionHandlerTest { + verify(encoder).writeHeaders(eq(ctx), eq(STREAM_ID), + any(Http2Headers.class), eq(padding), eq(true), eq(promise)); + +- verify(frameWriter).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); ++ verify(encoder).writeRstStream(ctx, STREAM_ID, PROTOCOL_ERROR.code(), promise); + } + + @Test diff --git a/netty.spec b/netty.spec index 19be9766082cb6a10d8f06214ee081e15d3f4c17..ebd9721d08a787eb898f7c4a93978bd055f89488 100644 --- a/netty.spec +++ b/netty.spec @@ -2,7 +2,7 @@ Name: netty Version: 4.1.114 -Release: 2 +Release: 3 Summary: An asynchronous event-driven network application framework and tools for Java License: Apache-2.0 URL: https://netty.io/ @@ -20,6 +20,7 @@ Patch0007: no-werror.patch Patch0008: reproducible.patch Patch0009: fix-strip.patch Patch0010: CVE-2025-24970.patch +Patch0011: CVE-2025-55163.patch BuildRequires: autoconf automake libtool gcc BuildRequires: maven-local @@ -177,6 +178,9 @@ export CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS" %files help -f .mfiles-javadoc %changelog +* Thu Aug 14 2025 Yu Peng - 4.1.114-3 +- Fix CVE-2025-55163 + * Tue Feb 11 2025 wangkai <13474090681@163.com> - 4.1.114-2 - Fix CVE-2025-24970