An update for netty is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2527 Final 1.0 1.0 2025-10-24 Initial 2025-10-24 2025-10-24 openEuler SA Tool V1.0 2025-10-24 netty security update An update for netty is now available for openEuler-24.03-LTS-SP1 Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. %package help Summary: Documents for Buildarch: noarch Requires: man info Provides: -javadoc = - Obsoletes: -javadoc < - %description help Man pages and other related documents for . Security Fix(es): Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters. The vulnerability exists in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string without sanitization. When methods such as SmtpRequests.rcpt(recipient) are called with a malicious string containing CRLF sequences, attackers can inject arbitrary SMTP commands. Because the injected commands are sent from the server's trusted IP address, resulting emails will likely pass SPF and DKIM authentication checks, making them appear legitimate. This allows remote attackers who can control SMTP command parameters (such as email recipients) to forge arbitrary emails from the trusted server, potentially impersonating executives and forging high-stakes corporate communications. This issue has been patched in versions 4.1.129.Final and 4.2.8.Final. No known workarounds exist.(CVE-2025-59419) An update for netty is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium netty https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2527 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-59419 https://nvd.nist.gov/vuln/detail/CVE-2025-59419 openEuler-24.03-LTS-SP1 netty-4.1.13-24.oe2403sp1.aarch64.rpm netty-4.1.13-24.oe2403sp1.src.rpm netty-4.1.13-24.oe2403sp1.x86_64.rpm netty-help-4.1.13-24.oe2403sp1.noarch.rpm Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters. The vulnerability exists in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string without sanitization. When methods such as SmtpRequests.rcpt(recipient) are called with a malicious string containing CRLF sequences, attackers can inject arbitrary SMTP commands. Because the injected commands are sent from the server's trusted IP address, resulting emails will likely pass SPF and DKIM authentication checks, making them appear legitimate. This allows remote attackers who can control SMTP command parameters (such as email recipients) to forge arbitrary emails from the trusted server, potentially impersonating executives and forging high-stakes corporate communications. This issue has been patched in versions 4.1.129.Final and 4.2.8.Final. No known workarounds exist. 2025-10-24 CVE-2025-59419 openEuler-24.03-LTS-SP1 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N netty security update 2025-10-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2527