This update for netty, netty-tcnative fixes the following issues:
Upidate to 4.1.132:
- CVE-2026-33870: incorrectly parses quoted strings in HTTP/1.1 can lead to request smuggling (bsc#1261031).
- CVE-2026-33871: sending a flood of CONTINUATION frames can lead to a denial of service (bsc#1261043).
Changelog:
- Upgrade to upstream version 4.1.132
- Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR
retry loop
- Make RefCntOpenSslContext.deallocate more robust
- HTTP2: Correctly account for padding when decompress
- Fix high-order bit aliasing in HttpUtil.validateToken
- fix: the precedence of + is higher than >>
- AdaptiveByteBufAllocator: make sure byteBuf.capacity() not
greater than byteBuf.maxCapacity()
- AdaptivePoolingAllocator: call unreserveMatchingBuddy(...)
if byteBuf initialization failed
- Don't assume CertificateFactory is thread-safe
- Fix HttpObjectAggregator leaving connection stuck after 413
with AUTO_READ=false
- HTTP2: Ensure preface is flushed in all cases
- Fix UnsupportedOperationException in readTrailingHeaders
- Fix client_max_window_bits parameter handling in
permessage-deflate extension
- Native transports: Fix possible fd leak when fcntl fails.
- Kqueue: Fix undefined behaviour when GetStringUTFChars fails
and SO_ACCEPTFILTER is supported
- Kqueue: Possible overflow when using
netty_kqueue_bsdsocket_setAcceptFilter(...)
- Native transports: Fix undefined behaviour when
GetStringUTFChars fails while open FD
- Epoll: Add null checks for safety reasons
- Epoll: Use correct value to initialize mmsghdr.msg_namelen
- Epoll: Fix support for IP_RECVORIGDSTADDR
- AdaptivePoolingAllocator: remove ensureAccessible() call in
capacity(int) method
- Epoll: setTcpMg5Sig(...) might overflow
- JdkZlibDecoder: accumulate decompressed output before firing
channelRead
- Limit the number of Continuation frames per HTTP2 Headers
(bsc#1261043, CVE-2026-33871)
- Stricter HTTP/1.1 chunk extension parsing...