Description:
This update for netty, netty-tcnative fixes the following issues
- CVE-2026-41417: missing validations leads to HTTP request smuggling and RTSP request injection via start-line
injection in `DefaultHttpRequest.setUri()` (bsc#1264350).
- CVE-2026-42578: HTTP Header Injection via HttpProxyHandler Disabled Validation in Netty (bsc#1265243).
- CVE-2026-42579: DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding
(bsc#1265272).
- CVE-2026-42580: chunk size parser silently overflows int and enables request smuggling attacks (bsc#1265273).
- CVE-2026-42581: TE+CL header coexistence in HTTP/1.0 requests bypasses smuggling sanitization (bsc#1265277).
- CVE-2026-42583: resource exhaustion and possible denial of service via `Lz4FrameDecoder` (bsc#1265279).
- CVE-2026-42584: improper handling of inbound responses in `HttpClientCodec` can lead to response desynchronization
(bsc#1265280).
- CVE-2026-42585: Netty is an asynchronous, event-driven network application framework (bsc#1265292).
- CVE-2026-42586: CRLF Injection in Netty Redis Codec Encoder (bsc#1265245).
- CVE-2026-42587: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables
decompression bomb DoS (bsc#1265246).
- CVE-2026-44248: Netty is an asynchronous, event-driven network application framework (bsc#1265294).
- CVE-2026-42582: HTTP/3 QPACK literal unbounded allocation (bsc#1265318).
Changes for netty:
- Upgrade to upstream version 4.1.133