netty (1:4.1.33.1-1+deb10u2+dde) unstable; urgency=medium

  * update

 -- Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>  Wed, 07 Jul 2021 17:43:55 +0800

netty (1:4.1.33.1-1+deb10u2+dde) buster-security; urgency=medium

  * Non-maintainer upload.
  * Update version.

 -- wangpei <wangpei@uniontech.com>  Wed, 30 Jun 2021 14:34:23 +0800

netty (1:4.1.33-1+deb10u2) buster-security; urgency=high

  * Team upload.
  * Fix the following security vulnerabilites:
    - CVE-2019-20444:
      HttpObjectDecoder.java allows an HTTP header that lacks a colon, which
      might be interpreted as a separate header with an incorrect syntax, or
      might be interpreted as an "invalid fold."
    - CVE-2019-20445:
      HttpObjectDecoder.java allows a Content-Length header to be accompanied
      by a second Content-Length header, or by a Transfer-Encoding header.
    - CVE-2020-7238:
      Netty allows HTTP Request Smuggling because it mishandles
      Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked
      line) and a later Content-Length header.
    - CVE-2020-11612:
      The ZlibDecoders allow for unbounded memory allocation while decoding a
      ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte
      stream to the Netty server, forcing the server to allocate all of its
      free memory to a single decoder.
    - CVE-2021-21290:
      In Netty there is a vulnerability on Unix-like systems involving an
      insecure temp file. When netty's multipart decoders are used local
      information disclosure can occur via the local system temporary directory
      if temporary storing uploads on the disk is enabled. On unix-like
      systems, the temporary directory is shared between all user. As such,
      writing to this directory using APIs that do not explicitly set the
      file/directory permissions can lead to information disclosure.
    - CVE-2021-21295:
      In Netty there is a vulnerability that enables request smuggling. If a
      Content-Length header is present in the original HTTP/2 request, the
      field is not validated by `Http2MultiplexHandler` as it is propagated up.
      This is fine as long as the request is not proxied through as HTTP/1.1.
      If the request comes in as an HTTP/2 stream, gets converted into the
      HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via
      `Http2StreamFrameToHttpObjectCodec `and then sent up to the child
      channel's pipeline and proxied through a remote peer as HTTP/1.1 this may
      result in request smuggling.
    - CVE-2021-21409:
      In Netty there is a vulnerability that enables request smuggling. The
      content-length header is not correctly validated if the request only uses
      a single Http2HeaderFrame with the endStream set to to true. This could
      lead to request smuggling if the request is proxied to a remote peer and
      translated to HTTP/1.1.

 -- Markus Koschany <apo@debian.org>  Thu, 01 Apr 2021 23:20:46 +0200

netty (1:4.1.33-1+deb10u1) buster-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Correctly handle whitespaces in HTTP header names as defined by
    RFC7230#section-3.2.4 (CVE-2019-16869) (Closes: #941266)

 -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 02 Jan 2020 23:19:52 +0100

netty (1:4.1.33-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Depend on libnetty-tcnative-java (>= 2.0.20)
  * Removed the wrong --has-package-version flag
  * Standards-Version updated to 4.3.0

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 22 Jan 2019 14:06:25 +0100

netty (1:4.1.29-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Depend on libjctools-java (>= 2.0)
    - Depend on libnetty-tcnative-java (>= 2.0)
    - No longer depend on libasm-java
    - Disabled Conscrypt support (missing dependency)
    - Build the new transport-native-unix-common module
    - Install the new Bill of Materials
    - Ignore the new dev-tools, testsuite-autobahn, testsuite-http2,
      testsuite-shading, transport-native-kqueue and
      transport-native-unix-common-tests modules
    - Ignore the forbiddenapis and maven-remote-resources-plugin plugins
    - Removed the Maven wrapper from the upstream tarball
  * Removed the build dependency on libmaven-scm-java and ivy
  * Removed Damien Raude-Morvan from the uploaders (Closes: #889432)
  * Standards-Version updated to 4.2.1
  * Switch to debhelper level 11
  * Use salsa.debian.org Vcs-* URLs
  * Install the NOTICE file as required by the Apache-2.0 license

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 04 Sep 2018 23:41:23 +0200

netty (1:4.1.7-4) unstable; urgency=medium

  * Team upload.
  * Update debian/watch to repack with xz compression
  * Bump Standards-Version to 4.0.0
  * Update jctools2 patch for approach used upstream (see #866771)

 -- tony mancill <tmancill@debian.org>  Sun, 30 Jul 2017 08:31:35 -0700

netty (1:4.1.7-3) unstable; urgency=medium

  * Team upload.
  * Add patch to build against jctools 2.0 (Closes: #866771)
  * Update libjctools-java build-dep to version 2.0

 -- tony mancill <tmancill@debian.org>  Sat, 22 Jul 2017 18:56:07 -0700

netty (1:4.1.7-2) unstable; urgency=medium

  * Team upload.
  * Fixed the netty-all pom (Closes: #852255)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 23 Jan 2017 09:32:14 +0100

netty (1:4.1.7-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Build the new modules: codec-dns, codec-http2, codec-memcache,
      codec-mqtt, codec-redis, codec-smtp, codec-stomp, handler-proxy,
      resolver-dns and resolver
    - Ignore the new codec-xml module (missing dependency)
    - New dependency: groovy, libcompress-lzf-java, libgoogle-gson-java
    - Adapted codegen.groovy to run without the groovy-maven-plugin
    - Ignore the new test dependencies
    - Disabled lz4, lzma and protobuf nano support due to missing dependencies

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 16 Jan 2017 09:14:21 +0100

netty (1:4.0.42-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Switch to debhelper level 10

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 30 Oct 2016 00:12:28 +0200

netty (1:4.0.41-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Depend on netty-tcnative (>= 1.1.33.Fork21)

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 30 Aug 2016 08:52:52 +0200

netty (1:4.0.40-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - New dependency on libjctools-java
    - New build dependency on libmaven-shade-plugin-java
  * Build the netty-transport-native-epoll module
  * Depend on ant-contrib >= 1.0~b3+svn177-8 and dropped the dependency
    on libbcel-java

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 03 Aug 2016 01:04:26 +0200

netty (1:4.0.37-1) unstable; urgency=high

  * Team upload.
  * New upstream release. (Closes: #827620) CVE-2016-4970
  * Add build-dependency on liblog4j2-java.

 -- tony mancill <tmancill@debian.org>  Sat, 18 Jun 2016 14:45:03 -0700

netty (1:4.0.36-2) unstable; urgency=medium

  * Team upload.
  * Removed the empty classifier for the tcnative dependency since it breaks
    the Gradle dependencies resolution

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 24 May 2016 00:45:11 +0200

netty (1:4.0.36-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Depend on libasm-java (>= 5.0) instead of libasm4-java
  * Standards-Version updated to 3.9.8 (no changes)

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 24 Apr 2016 19:20:27 +0200

netty (1:4.0.35-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Updated the Maven rules
  * Standards-Version updated to 3.9.7 (no changes)
  * Use secure Vcs-* fields

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 28 Mar 2016 23:03:36 +0200

netty (1:4.0.34-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Depend on netty-tcnative (>= 1.1.33.Fork11)
  * Build with the DH sequencer instead of CDBS
  * Made the versions.properties embedded in the jar files reproducible

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 31 Jan 2016 23:39:15 +0100

netty (1:4.0.33-1) unstable; urgency=medium

  * Team upload.
  * New upstream release

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 19 Nov 2015 23:37:59 +0100

netty (1:4.0.32-1) unstable; urgency=medium

  * Team upload.
  * New upstream release:
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 03 Oct 2015 01:12:58 +0200

netty (1:4.0.31-1) unstable; urgency=medium

  * Team upload.

  [ Emmanuel Bourg ]
  * New upstream release:
    - Build with maven-debian-helper
    - Fixes CVE-2015-2156 (Closes: #796114)
  * debian/control:
    - Team maintenance by Debian Java Maintainers
    - Standards-Version updated to 3.9.6 (no changes)
    - Removed the deprecated DM-Upload-Allowed field
  * debian/watch: Track the release tags on GitHub
  * Moved the package to Git
  * Switch to debhelper level 9

  [ Charles Plessy ]
  * Updated homepage (debian/control).

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 12 Sep 2015 23:26:11 +0200

netty (1:3.2.6.Final-2) unstable; urgency=low

  * Merge from James Page (thanks!):
  * Enable test suite to support Ubuntu MIR (LP: #913878) (Closes: #658250):
    - d/build.xml: Add extra targets to compile and execute unit tests.
    - d/rules: Add testing dependencies to build classpath.
    - d/control: Added junit4 and libeasymock-java to BDI's and ant-optional
      to BD's.
  * d/orig-tar.sh; Dropped - not used.

 -- Damien Raude-Morvan <drazzib@debian.org>  Sun, 12 Feb 2012 12:43:50 +0100

netty (1:3.2.6.Final-1) unstable; urgency=low

  * New upstream release (Closes: #643832):
    - Update watch file for github.
  * Add myself to Uploaders.
  * Use maven-repo-helper to install jar.
  * Bump to Standards-Version to 3.9.2:
    - Provide a get-orig-source target.
    - Drop Depends on default-jre-headless.
    - Drop XSBC-* fields (Ubuntu specific)
    - Add Homepage field.
    - Add Vcs-* fields.
  * Use debhelper 7 compat level.
  * Fix copyright:
    - now under Apache-2.0 licence.
    - update to DEP-5.
  * Switch to 3.0 (quilt) source format.
  * Add Recommends on logging frameworks.

 -- Damien Raude-Morvan <drazzib@debian.org>  Wed, 23 Nov 2011 21:14:19 +0100

netty (1:3.1.0.CR1-1) unstable; urgency=low

  * Port package to pkg-java based largely on existing Ubuntu package
  * Pull sources from svn to build orig tarball avoiding DFSG non-compliance
  * debian/copyright, debian/README.source: Update to reflect DFSG-compliant
    packaging.

 -- Chris Grzegorczyk <grze@eucalyptus.com>  Thu, 17 Dec 2009 03:12:31 -0800

netty (3.1.0.CR1+dfsg-0ubuntu1) karmic; urgency=low

  * Repackaged orig tarball to avoid shipping sourceless doc/ elements.
  * debian/copyright, debian/README.source: Explain repacking.

 -- Thierry Carrez <thierry.carrez@ubuntu.com>  Wed, 26 Aug 2009 15:13:13 +0200

netty (3.1.0.CR1-0ubuntu1) karmic; urgency=low

  * Initial release. New Eucalyptus dependency.

 -- Thierry Carrez <thierry.carrez@ubuntu.com>  Tue, 21 Jul 2009 16:48:12 +0200
