Version in base suite: 4.1.48-4+deb11u1 Base version: netty_4.1.48-4+deb11u1 Target version: netty_4.1.48-4+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/netty/netty_4.1.48-4+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/netty/netty_4.1.48-4+deb11u2.dsc changelog | 12 + patches/21-java-17.patch | 17 ++ patches/CVE-2023-34462.patch | 277 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2023-44487.patch | 241 +++++++++++++++++++++++++++++++++++++ patches/series | 3 5 files changed, 550 insertions(+) diff -Nru netty-4.1.48/debian/changelog netty-4.1.48/debian/changelog --- netty-4.1.48/debian/changelog 2023-01-01 18:17:21.000000000 +0000 +++ netty-4.1.48/debian/changelog 2023-11-18 14:32:05.000000000 +0000 @@ -1,3 +1,15 @@ +netty (1:4.1.48-4+deb11u2) bullseye-security; urgency=high + + * Team upload. + * Fix CVE-2023-34462: (Closes: #1038947) + Guard against high memory usage when parsing ClientHello messages. + * Fix CVE-2023-44487: (Closes: #1054234) + The HTTP/2 protocol allows a denial of service (server resource + consumption) because request cancellation can reset many streams quickly. + * Add 21-java-17.patch to fix a FTBFS with newer OpenJDK versions. + + -- Markus Koschany Sat, 18 Nov 2023 15:32:05 +0100 + netty (1:4.1.48-4+deb11u1) bullseye-security; urgency=high * Team upload. diff -Nru netty-4.1.48/debian/patches/21-java-17.patch netty-4.1.48/debian/patches/21-java-17.patch --- netty-4.1.48/debian/patches/21-java-17.patch 1970-01-01 00:00:00.000000000 +0000 +++ netty-4.1.48/debian/patches/21-java-17.patch 2023-11-18 14:32:05.000000000 +0000 @@ -0,0 +1,17 @@ +Description: compile with JDK 17 +Source: https://github.com/netty/netty/commit/bb184794341255cf02f9b7156c5ad828b172fdab.patch +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011135 +Comment: No longer needed after updating upstream to 4.1.52 or later + +--- a/handler/src/main/java/io/netty/handler/ssl/util/OpenJdkSelfSignedCertGenerator.java ++++ b/handler/src/main/java/io/netty/handler/ssl/util/OpenJdkSelfSignedCertGenerator.java +@@ -66,7 +66,8 @@ + info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, notAfter)); + info.set(X509CertInfo.KEY, new CertificateX509Key(keypair.getPublic())); + info.set(X509CertInfo.ALGORITHM_ID, +- new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.sha256WithRSAEncryption_oid))); ++ // sha256WithRSAEncryption ++ new CertificateAlgorithmId(AlgorithmId.get("1.2.840.113549.1.1.11"))); + + // Sign the cert to identify the algorithm that's used. + X509CertImpl cert = new X509CertImpl(info); diff -Nru netty-4.1.48/debian/patches/CVE-2023-34462.patch netty-4.1.48/debian/patches/CVE-2023-34462.patch --- netty-4.1.48/debian/patches/CVE-2023-34462.patch 1970-01-01 00:00:00.000000000 +0000 +++ netty-4.1.48/debian/patches/CVE-2023-34462.patch 2023-11-18 14:32:05.000000000 +0000 @@ -0,0 +1,277 @@ +From: Markus Koschany +Date: Sun, 5 Nov 2023 21:05:39 +0100 +Subject: CVE-2023-34462 + +Bug-Debian: https://bugs.debian.org/1038947 +Origin: https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32 +--- + .../java/io/netty/util/internal/ObjectUtil.java | 55 ++++++++++++++++++++-- + .../io/netty/handler/ssl/AbstractSniHandler.java | 22 +++++++++ + .../main/java/io/netty/handler/ssl/SniHandler.java | 50 ++++++++++++++++++++ + .../netty/handler/ssl/SslClientHelloHandler.java | 32 +++++++++++++ + 4 files changed, 156 insertions(+), 3 deletions(-) + +diff --git a/common/src/main/java/io/netty/util/internal/ObjectUtil.java b/common/src/main/java/io/netty/util/internal/ObjectUtil.java +index cbac561..ef26046 100644 +--- a/common/src/main/java/io/netty/util/internal/ObjectUtil.java ++++ b/common/src/main/java/io/netty/util/internal/ObjectUtil.java +@@ -21,6 +21,11 @@ import java.util.Collection; + */ + public final class ObjectUtil { + ++ private static final float FLOAT_ZERO = 0.0F; ++ private static final double DOUBLE_ZERO = 0.0D; ++ private static final long LONG_ZERO = 0L; ++ private static final int INT_ZERO = 0; ++ + private ObjectUtil() { + } + +@@ -72,13 +77,57 @@ public final class ObjectUtil { + * Checks that the given argument is positive or zero. If it is not, throws {@link IllegalArgumentException}. + * Otherwise, returns the argument. + */ +- public static long checkPositiveOrZero(long i, String name) { +- if (i < 0) { +- throw new IllegalArgumentException(name + ": " + i + " (expected: >= 0)"); ++ public static long checkPositiveOrZero(long l, String name) { ++ if (l < 0) { ++ throw new IllegalArgumentException(name + ": " + l + " (expected: >= 0)"); ++ } ++ return l; ++ } ++ ++ /** ++ * Checks that the given argument is positive or zero. If it is not, throws {@link IllegalArgumentException}. ++ * Otherwise, returns the argument. ++ */ ++ public static double checkPositiveOrZero(final double d, final String name) { ++ if (d < DOUBLE_ZERO) { ++ throw new IllegalArgumentException(name + " : " + d + " (expected: >= 0)"); ++ } ++ return d; ++ } ++ ++ /** ++ * Checks that the given argument is positive or zero. If it is not, throws {@link IllegalArgumentException}. ++ * Otherwise, returns the argument. ++ */ ++ public static float checkPositiveOrZero(final float f, final String name) { ++ if (f < FLOAT_ZERO) { ++ throw new IllegalArgumentException(name + " : " + f + " (expected: >= 0)"); ++ } ++ return f; ++ } ++ ++ /** ++ * Checks that the given argument is in range. If it is not, throws {@link IllegalArgumentException}. ++ * Otherwise, returns the argument. ++ */ ++ public static int checkInRange(int i, int start, int end, String name) { ++ if (i < start || i > end) { ++ throw new IllegalArgumentException(name + ": " + i + " (expected: " + start + "-" + end + ")"); + } + return i; + } + ++ /** ++ * Checks that the given argument is in range. If it is not, throws {@link IllegalArgumentException}. ++ * Otherwise, returns the argument. ++ */ ++ public static long checkInRange(long l, long start, long end, String name) { ++ if (l < start || l > end) { ++ throw new IllegalArgumentException(name + ": " + l + " (expected: " + start + "-" + end + ")"); ++ } ++ return l; ++ } ++ + /** + * Checks that the given argument is neither null nor empty. + * If it is, throws {@link NullPointerException} or {@link IllegalArgumentException}. +diff --git a/handler/src/main/java/io/netty/handler/ssl/AbstractSniHandler.java b/handler/src/main/java/io/netty/handler/ssl/AbstractSniHandler.java +index dcba585..02baad0 100644 +--- a/handler/src/main/java/io/netty/handler/ssl/AbstractSniHandler.java ++++ b/handler/src/main/java/io/netty/handler/ssl/AbstractSniHandler.java +@@ -19,6 +19,7 @@ import io.netty.buffer.ByteBuf; + import io.netty.channel.ChannelHandlerContext; + import io.netty.util.CharsetUtil; + import io.netty.util.concurrent.Future; ++import static io.netty.util.internal.ObjectUtil.checkPositiveOrZero; + + import java.util.Locale; + +@@ -117,8 +118,29 @@ public abstract class AbstractSniHandler extends SslClientHelloHandler { + return null; + } + ++ protected final long handshakeTimeoutMillis; + private String hostname; + ++ /** ++ * @param handshakeTimeoutMillis the handshake timeout in milliseconds ++ */ ++ protected AbstractSniHandler(long handshakeTimeoutMillis) { ++ this(0, handshakeTimeoutMillis); ++ } ++ ++ /** ++ * @paramm maxClientHelloLength the maximum length of the client hello message. ++ * @param handshakeTimeoutMillis the handshake timeout in milliseconds ++ */ ++ protected AbstractSniHandler(int maxClientHelloLength, long handshakeTimeoutMillis) { ++ super(maxClientHelloLength); ++ this.handshakeTimeoutMillis = checkPositiveOrZero(handshakeTimeoutMillis, "handshakeTimeoutMillis"); ++ } ++ ++ public AbstractSniHandler() { ++ this(0, 0L); ++ } ++ + @Override + protected Future lookup(ChannelHandlerContext ctx, ByteBuf clientHello) throws Exception { + hostname = clientHello == null ? null : extractSniHostname(clientHello); +diff --git a/handler/src/main/java/io/netty/handler/ssl/SniHandler.java b/handler/src/main/java/io/netty/handler/ssl/SniHandler.java +index c6a8227..f5e9589 100644 +--- a/handler/src/main/java/io/netty/handler/ssl/SniHandler.java ++++ b/handler/src/main/java/io/netty/handler/ssl/SniHandler.java +@@ -51,6 +51,19 @@ public class SniHandler extends AbstractSniHandler { + this(new AsyncMappingAdapter(mapping)); + } + ++ /** ++ * Creates a SNI detection handler with configured {@link SslContext} ++ * maintained by {@link Mapping} ++ * ++ * @param mapping the mapping of domain name to {@link SslContext} ++ * @param maxClientHelloLength the maximum length of the client hello message ++ * @param handshakeTimeoutMillis the handshake timeout in milliseconds ++ */ ++ public SniHandler(Mapping mapping, ++ int maxClientHelloLength, long handshakeTimeoutMillis) { ++ this(new AsyncMappingAdapter(mapping), maxClientHelloLength, handshakeTimeoutMillis); ++ } ++ + /** + * Creates a SNI detection handler with configured {@link SslContext} + * maintained by {@link DomainNameMapping} +@@ -69,9 +82,46 @@ public class SniHandler extends AbstractSniHandler { + */ + @SuppressWarnings("unchecked") + public SniHandler(AsyncMapping mapping) { ++ this(mapping, 0, 0L); ++ } ++ ++ /** ++ * Creates a SNI detection handler with configured {@link SslContext} ++ * maintained by {@link AsyncMapping} ++ * ++ * @param mapping the mapping of domain name to {@link SslContext} ++ * @param maxClientHelloLength the maximum length of the client hello message ++ * @param handshakeTimeoutMillis the handshake timeout in milliseconds ++ */ ++ @SuppressWarnings("unchecked") ++ public SniHandler(AsyncMapping mapping, ++ int maxClientHelloLength, long handshakeTimeoutMillis) { ++ super(maxClientHelloLength, handshakeTimeoutMillis); + this.mapping = (AsyncMapping) ObjectUtil.checkNotNull(mapping, "mapping"); + } + ++ /** ++ * Creates a SNI detection handler with configured {@link SslContext} ++ * maintained by {@link Mapping} ++ * ++ * @param mapping the mapping of domain name to {@link SslContext} ++ * @param handshakeTimeoutMillis the handshake timeout in milliseconds ++ */ ++ public SniHandler(Mapping mapping, long handshakeTimeoutMillis) { ++ this(new AsyncMappingAdapter(mapping), handshakeTimeoutMillis); ++ } ++ ++ /** ++ * Creates a SNI detection handler with configured {@link SslContext} ++ * maintained by {@link AsyncMapping} ++ * ++ * @param mapping the mapping of domain name to {@link SslContext} ++ * @param handshakeTimeoutMillis the handshake timeout in milliseconds ++ */ ++ public SniHandler(AsyncMapping mapping, long handshakeTimeoutMillis) { ++ this(mapping, 0, handshakeTimeoutMillis); ++ } ++ + /** + * @return the selected hostname + */ +diff --git a/handler/src/main/java/io/netty/handler/ssl/SslClientHelloHandler.java b/handler/src/main/java/io/netty/handler/ssl/SslClientHelloHandler.java +index 4bcf349..8ef0069 100644 +--- a/handler/src/main/java/io/netty/handler/ssl/SslClientHelloHandler.java ++++ b/handler/src/main/java/io/netty/handler/ssl/SslClientHelloHandler.java +@@ -22,8 +22,10 @@ import io.netty.channel.ChannelOutboundHandler; + import io.netty.channel.ChannelPromise; + import io.netty.handler.codec.ByteToMessageDecoder; + import io.netty.handler.codec.DecoderException; ++import io.netty.handler.codec.TooLongFrameException; + import io.netty.util.concurrent.Future; + import io.netty.util.concurrent.FutureListener; ++import io.netty.util.internal.ObjectUtil; + import io.netty.util.internal.PlatformDependent; + import io.netty.util.internal.logging.InternalLogger; + import io.netty.util.internal.logging.InternalLoggerFactory; +@@ -36,14 +38,32 @@ import java.util.List; + */ + public abstract class SslClientHelloHandler extends ByteToMessageDecoder implements ChannelOutboundHandler { + ++ /** ++ * The maximum length of client hello message as defined by ++ * RFC5246. ++ */ ++ public static final int MAX_CLIENT_HELLO_LENGTH = 0xFFFFFF; ++ + private static final InternalLogger logger = + InternalLoggerFactory.getInstance(SslClientHelloHandler.class); + ++ private final int maxClientHelloLength; + private boolean handshakeFailed; + private boolean suppressRead; + private boolean readPending; + private ByteBuf handshakeBuffer; + ++ public SslClientHelloHandler() { ++ this(MAX_CLIENT_HELLO_LENGTH); ++ } ++ ++ protected SslClientHelloHandler(int maxClientHelloLength) { ++ // 16MB is the maximum as per RFC: ++ // See https://www.rfc-editor.org/rfc/rfc5246#section-6.2.1 ++ this.maxClientHelloLength = ++ ObjectUtil.checkInRange(maxClientHelloLength, 0, MAX_CLIENT_HELLO_LENGTH, "maxClientHelloLength"); ++ } ++ + @Override + protected void decode(ChannelHandlerContext ctx, ByteBuf in, List out) throws Exception { + if (!suppressRead && !handshakeFailed) { +@@ -117,6 +137,15 @@ public abstract class SslClientHelloHandler extends ByteToMessageDecoder impl + handshakeLength = in.getUnsignedMedium(readerIndex + + SslUtils.SSL_RECORD_HEADER_LENGTH + 1); + ++ if (handshakeLength > maxClientHelloLength && maxClientHelloLength != 0) { ++ TooLongFrameException e = new TooLongFrameException( ++ "ClientHello length exceeds " + maxClientHelloLength + ++ ": " + handshakeLength); ++ in.skipBytes(in.readableBytes()); ++ ctx.fireUserEventTriggered(new SniCompletionEvent(e)); ++ SslUtils.handleHandshakeFailure(ctx, e, true); ++ throw e; ++ } + // Consume handshakeType and handshakeLength (this sums up as 4 bytes) + readerIndex += 4; + packetLength -= 4; +@@ -161,6 +190,9 @@ public abstract class SslClientHelloHandler extends ByteToMessageDecoder impl + } catch (NotSslRecordException e) { + // Just rethrow as in this case we also closed the channel and this is consistent with SslHandler. + throw e; ++ } catch (TooLongFrameException e) { ++ // Just rethrow as in this case we also closed the channel ++ throw e; + } catch (Exception e) { + // unexpected encoding, ignore sni and use default + if (logger.isDebugEnabled()) { diff -Nru netty-4.1.48/debian/patches/CVE-2023-44487.patch netty-4.1.48/debian/patches/CVE-2023-44487.patch --- netty-4.1.48/debian/patches/CVE-2023-44487.patch 1970-01-01 00:00:00.000000000 +0000 +++ netty-4.1.48/debian/patches/CVE-2023-44487.patch 2023-11-18 14:32:05.000000000 +0000 @@ -0,0 +1,241 @@ +From: Markus Koschany +Date: Sun, 5 Nov 2023 22:29:58 +0100 +Subject: CVE-2023-44487 + +Bug-Debian: https://bugs.debian.org/1054234 +Origin: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 +--- + .../AbstractHttp2ConnectionHandlerBuilder.java | 24 ++++++++- + .../codec/http2/Http2FrameCodecBuilder.java | 6 +++ + .../codec/http2/Http2MaxRstFrameDecoder.java | 58 ++++++++++++++++++++++ + .../codec/http2/Http2MaxRstFrameListener.java | 58 ++++++++++++++++++++++ + .../codec/http2/Http2MultiplexCodecBuilder.java | 6 +++ + 5 files changed, 150 insertions(+), 2 deletions(-) + create mode 100644 codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameDecoder.java + create mode 100644 codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameListener.java + +diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java +index f262b11..a904310 100644 +--- a/codec-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java ++++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/AbstractHttp2ConnectionHandlerBuilder.java +@@ -109,6 +109,8 @@ public abstract class AbstractHttp2ConnectionHandlerBuilder 0) { + decoder = new Http2EmptyDataFrameConnectionDecoder(decoder, maxConsecutiveEmptyDataFrames); + } ++ if (maxRstFramesPerWindow > 0 && secondsPerWindow > 0) { ++ decoder = new Http2MaxRstFrameDecoder(decoder, maxRstFramesPerWindow, secondsPerWindow); ++ } + final T handler; + try { + // Call the abstract build method +diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2FrameCodecBuilder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2FrameCodecBuilder.java +index fad31b2..241c9c5 100644 +--- a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2FrameCodecBuilder.java ++++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2FrameCodecBuilder.java +@@ -177,6 +177,12 @@ public class Http2FrameCodecBuilder extends + return super.decoderEnforceMaxConsecutiveEmptyDataFrames(maxConsecutiveEmptyFrames); + } + ++ @Override ++ public Http2FrameCodecBuilder decoderEnforceMaxRstFramesPerWindow( ++ int maxConsecutiveEmptyFrames, int secondsPerWindow) { ++ return super.decoderEnforceMaxRstFramesPerWindow(maxConsecutiveEmptyFrames, secondsPerWindow); ++ } ++ + /** + * Build a {@link Http2FrameCodec} object. + */ +diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameDecoder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameDecoder.java +new file mode 100644 +index 0000000..6ac6660 +--- /dev/null ++++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameDecoder.java +@@ -0,0 +1,58 @@ ++/* ++ * Copyright 2023 The Netty Project ++ * ++ * The Netty Project licenses this file to you under the Apache License, ++ * version 2.0 (the "License"); you may not use this file except in compliance ++ * with the License. You may obtain a copy of the License at: ++ * ++ * https://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT ++ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the ++ * License for the specific language governing permissions and limitations ++ * under the License. ++ */ ++package io.netty.handler.codec.http2; ++ ++import static io.netty.util.internal.ObjectUtil.checkPositive; ++ ++ ++/** ++ * Enforce a limit on the maximum number of RST frames that are allowed per a window ++ * before the connection will be closed with a GO_AWAY frame. ++ */ ++final class Http2MaxRstFrameDecoder extends DecoratingHttp2ConnectionDecoder { ++ private final int maxRstFramesPerWindow; ++ private final int secondsPerWindow; ++ ++ Http2MaxRstFrameDecoder(Http2ConnectionDecoder delegate, int maxRstFramesPerWindow, int secondsPerWindow) { ++ super(delegate); ++ this.maxRstFramesPerWindow = checkPositive(maxRstFramesPerWindow, "maxRstFramesPerWindow"); ++ this.secondsPerWindow = checkPositive(secondsPerWindow, "secondsPerWindow"); ++ } ++ ++ @Override ++ public void frameListener(Http2FrameListener listener) { ++ if (listener != null) { ++ super.frameListener(new Http2MaxRstFrameListener(listener, maxRstFramesPerWindow, secondsPerWindow)); ++ } else { ++ super.frameListener(null); ++ } ++ } ++ ++ @Override ++ public Http2FrameListener frameListener() { ++ Http2FrameListener frameListener = frameListener0(); ++ // Unwrap the original Http2FrameListener as we add this decoder under the hood. ++ if (frameListener instanceof Http2MaxRstFrameListener) { ++ return ((Http2MaxRstFrameListener) frameListener).listener; ++ } ++ return frameListener; ++ } ++ ++ // Package-private for testing ++ Http2FrameListener frameListener0() { ++ return super.frameListener(); ++ } ++} +diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameListener.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameListener.java +new file mode 100644 +index 0000000..4603686 +--- /dev/null ++++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MaxRstFrameListener.java +@@ -0,0 +1,58 @@ ++/* ++ * Copyright 2023 The Netty Project ++ * ++ * The Netty Project licenses this file to you under the Apache License, ++ * version 2.0 (the "License"); you may not use this file except in compliance ++ * with the License. You may obtain a copy of the License at: ++ * ++ * https://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT ++ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the ++ * License for the specific language governing permissions and limitations ++ * under the License. ++ */ ++package io.netty.handler.codec.http2; ++ ++import io.netty.channel.ChannelHandlerContext; ++import io.netty.util.internal.logging.InternalLogger; ++import io.netty.util.internal.logging.InternalLoggerFactory; ++ ++import java.util.concurrent.TimeUnit; ++ ++ ++final class Http2MaxRstFrameListener extends Http2FrameListenerDecorator { ++ private static final InternalLogger logger = InternalLoggerFactory.getInstance(Http2MaxRstFrameListener.class); ++ ++ private final long nanosPerWindow; ++ private final int maxRstFramesPerWindow; ++ private long lastRstFrameNano = System.nanoTime(); ++ private int receivedRstInWindow; ++ ++ Http2MaxRstFrameListener(Http2FrameListener listener, int maxRstFramesPerWindow, int secondsPerWindow) { ++ super(listener); ++ this.maxRstFramesPerWindow = maxRstFramesPerWindow; ++ this.nanosPerWindow = TimeUnit.SECONDS.toNanos(secondsPerWindow); ++ } ++ ++ @Override ++ public void onRstStreamRead(ChannelHandlerContext ctx, int streamId, long errorCode) throws Http2Exception { ++ long currentNano = System.nanoTime(); ++ if (currentNano - lastRstFrameNano >= nanosPerWindow) { ++ lastRstFrameNano = currentNano; ++ receivedRstInWindow = 1; ++ } else { ++ receivedRstInWindow++; ++ if (receivedRstInWindow > maxRstFramesPerWindow) { ++ Http2Exception exception = Http2Exception.connectionError(Http2Error.ENHANCE_YOUR_CALM, ++ "Maximum number of RST frames reached"); ++ logger.debug("{} Maximum number {} of RST frames reached within {} seconds, " + ++ "closing connection with {} error", ctx.channel(), maxRstFramesPerWindow, ++ TimeUnit.NANOSECONDS.toSeconds(nanosPerWindow), exception.error(), exception); ++ throw exception; ++ } ++ } ++ super.onRstStreamRead(ctx, streamId, errorCode); ++ } ++} +diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MultiplexCodecBuilder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MultiplexCodecBuilder.java +index 5d0829e..a3c0bed 100644 +--- a/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MultiplexCodecBuilder.java ++++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2MultiplexCodecBuilder.java +@@ -206,6 +206,12 @@ public class Http2MultiplexCodecBuilder + return super.decoderEnforceMaxConsecutiveEmptyDataFrames(maxConsecutiveEmptyFrames); + } + ++ @Override ++ public Http2MultiplexCodecBuilder decoderEnforceMaxRstFramesPerWindow( ++ int maxConsecutiveEmptyFrames, int secondsPerWindow) { ++ return super.decoderEnforceMaxRstFramesPerWindow(maxConsecutiveEmptyFrames, secondsPerWindow); ++ } ++ + @Override + public Http2MultiplexCodec build() { + Http2FrameWriter frameWriter = this.frameWriter; diff -Nru netty-4.1.48/debian/patches/series netty-4.1.48/debian/patches/series --- netty-4.1.48/debian/patches/series 2023-01-01 18:17:21.000000000 +0000 +++ netty-4.1.48/debian/patches/series 2023-11-18 14:32:05.000000000 +0000 @@ -20,3 +20,6 @@ CVE-2021-43797.patch CVE-2022-41881.patch CVE-2022-41915.patch +CVE-2023-34462.patch +CVE-2023-44487.patch +21-java-17.patch