Detections
Analytics

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : netty, netty-tcnative (SUSE-SU-2025:03114-1)

high Nessus Plugin ID 264436

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:03114-1 advisory.

 Upgrade to upstream version 4.1.126.

 Security issues fixed:

 - CVE-2025-58057: decompression codecs allocating a large number of buffers after processing specially crafted input can cause a denial of service (bsc#1249134).
 - CVE-2025-58056: incorrect parsing of chunk extensions can lead to request smuggling (bsc#1249116).
 - CVE-2025-55163: 'MadeYouReset' denial of serivce attack in the HTTP/2 protocol (bsc#1247991).

 Other issues fixed:

 - Fixes from version 4.1.126
 * Fix IllegalReferenceCountException on invalid upgrade response.
 * Drop unknown frame on missing stream.
 * Don't try to handle incomplete upgrade request.
 * Update to netty-tcnative 2.0.73Final.

 - Fixes from version 4.1.124
 * Fix NPE and AssertionErrors when many tasks are scheduled and cancelled.
 * HTTP2: Http2ConnectionHandler should always use Http2ConnectionEncoder.
 * Epoll: Correctly handle UDP packets with source port of 0.
 * Fix netty-common OSGi Import-Package header.
 * MqttConnectPayload.toString() includes password.

 - Fixes from version 4.1.123
 * Fix chunk reuse bug in adaptive allocator.
 * More accurate adaptive memory usage accounting.
 * Introduce size-classes for the adaptive allocator.
 * Reduce magazine proliferation eagerness.
 * Fix concurrent ByteBuffer access issue in AdaptiveByteBuf.getBytes.
 * Fix possible buffer corruption caused by incorrect setCharSequence(...) implementation.
 * AdaptiveByteBuf: Fix AdaptiveByteBuf.maxFastWritableBytes() to take writerIndex() into account.
 * Optimize capacity bumping for adaptive ByteBufs.
 * AbstractDnsRecord: equals() and hashCode() to ignore name field's case.
 * Backport Unsafe guards.
 * Guard recomputed offset access with hasUnsafe.
 * HTTP2: Always produce a RST frame on stream exception.
 * Correct what artifacts included in netty-bom.

 - Fixes from version 4.1.122
 * DirContextUtils.addNameServer(...) should just catch Exception internally.
 * Make public API specify explicit maxAllocation to prevent OOM.
 * Fix concurrent ByteBuf write access bug in adaptive allocator.
 * Fix transport-native-kqueue Bundle-SymbolicNames.
 * Fix resolver-dns-native-macos Bundle-SymbolicNames.
 * Always correctly calculate the memory address of the ByteBuf even if sun.misc.Unsafe is not usable.
 * Upgrade lz4 dependencies as the old version did not correctly handle ByteBuffer that have an arrayOffset > 0.
 * Optimize ByteBuf.setCharSequence for adaptive allocator.
 * Kqueue: Fix registration failure when fd is reused.
 * Make JdkZlibEncoder accept Deflater.DEFAULT_COMPRESSION as level.
 * Ensure OpenSsl.availableJavaCipherSuites does not contain null values.
 * Always prefer direct buffers for pooled allocators if not explicit disabled.
 * Update to netty-tcnative 2.0.72.Final.
 * Re-enable sun.misc.Unsafe by default on Java 24+.
 * Kqueue: Delay removal from registration map to fix noisy warnings.

 - Fixes from version 4.1.121
 * Epoll.isAvailable() returns false on Ubuntu 20.04/22.04 arch amd64.
 * Fix transport-native-epoll Bundle-SymbolicNames.

 - Fixes from version 4.1.120
 * Fix flawed termination condition check in HttpPostRequestEncoder#encodeNextChunkUrlEncoded(int) for current InterfaceHttpData.
 * Exposed decoderEnforceMaxConsecutiveEmptyDataFrames and decoderEnforceMaxRstFramesPerWindow.
 * ThreadExecutorMap must restore old EventExecutor.
 * Make Recycler virtual thread friendly.
 * Disable sun.misc.Unsafe by default on Java 24+.
 * Adaptive: Correctly enforce leak detection when using AdaptiveByteBufAllocator.
 * Add suppressed exception to original cause when calling Future.sync*.
 * Add SETTINGS_ENABLE_CONNECT_PROTOCOL to the default HTTP/2 settings.
 * Correct computation for suboptimal chunk retirement probability.
 * Fix bug in method AdaptivePoolingAllocator.allocateWithoutLock(...).
 * Fix a Bytebuf leak in TcpDnsQueryDecoder.
 * SSL: Clear native error if named group is not supported.
 * WebSocketClientCompressionHandler shouldn't claim window bits support when jzlib is not available.
 * Fix the assignment error of maxQoS parameter in ConnAck Properties.

 - Fixes from version 4.1.119
 * Replace SSL assertion with explicit record length check.
 * Fix NPE when upgrade message fails to aggregate.
 * SslHandler: Fix possible NPE when executor is used for delegating.
 * Consistently add channel info in HTTP/2 logs.
 * Add QueryStringDecoder option to leave '+' alone.
 * Use initialized BouncyCastle providers when available.

 - Fix pom.xml errors that will be fatal with Maven 4

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected netty, netty-javadoc, netty-tcnative and / or netty-tcnative-javadoc packages.

See Also

https://bugzilla.suse.com/1247991

https://bugzilla.suse.com/1249116

https://bugzilla.suse.com/1249134

http://www.nessus.org/u?1bf9bf72

https://www.suse.com/security/cve/CVE-2025-55163

https://www.suse.com/security/cve/CVE-2025-58056

https://www.suse.com/security/cve/CVE-2025-58057

Plugin Details

Severity: High

ID: 264436

File Name: suse_SU-2025-03114-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 9/10/2025

Updated: 9/10/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2025-58056

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.2

Threat Score: 6.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2025-55163

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:netty, p-cpe:/a:novell:suse_linux:netty-javadoc, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:netty-tcnative

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/9/2025

Vulnerability Publication Date: 8/13/2025

Reference Information

CVE: CVE-2025-55163, CVE-2025-58056, CVE-2025-58057

SuSE: SUSE-SU-2025:03114-1