File netty.changes of Package netty.33151

Overview Repositories Revisions Requests Users Attributes Meta

File netty.changes of Package netty.33151

-------------------------------------------------------------------
Wed Mar 27 13:17:21 UTC 2024 - Fridrich Strba <fstrba@suse.com>

- Upgrade to upstream version 4.1.108
  * Fixes of 4.1.108:
    + HttpPostRequestDecoder can OOM (bsc#1222045, CVE-2024-29025)
    + Add zstd decoder
    + Updated HTTP2 Reader to fix missing header state
    + codec-http2: fix some frame validation errors
    + SSL: Only wrap TrustManager if FIPS is not used
    + Epoll: Correctly handle splice tasks when Channel is closed
    + Allow to cancel connect() operations when using non-blocking
      IO
    + DNS resolver final CNAME lookup disabled
    + DNS: Add DnsRecordType definitions for SVCB and HTTPS
    + SSL: Only try to use TLSv1.3 if a compatible ciphersuite is
      configured
    + Backport 'Fix buffer leak in DefaultHttp2HeadersEncoder' to v4
    + SSL: Hold the right monitor while running delegating task
    + SSL: Execute SSL_do_handshake(...) after task is run to ensure
      SSLEngine.getHandshakeStatus() returns the correct value all
      the time
    + Add active flag to EpollServerDomainSocketChannel fd
      constructor
    + Epoll: Fix possible Classloader deadlock caused by loading
      class via JNI
    + Prefer /etc/resolv.conf on Linux and Mac
    + Handle invalid cookie value
    + Upgrade to latest tcnative release
    + ByteToMessageDecoder.channelReadComplete(...) does call read()
      too often
    + Remove the lock usage in PoolArena#numPinnedBytes()
    + Fix x-www-form-urlencoded parsing for no-value key
      (re-submission)
  * Fixes of 4.1.107:
    + Speedup pseudoheader lookup
    + Add support for the Partitioned attribute in cookies
    + Reduce HTTP 1.1 Full msg pipeline traversals
    + DnsNameResolver: Add DnsQueryIdSpace class to reduce overhead
      while generating IDs
    + Fix copy-paste mistake in
      LazyX509Certificate.getIssuerAlternativeNames()
    + HTTP2: lastStreamCreated() does return the wrong value when
      all stream ids were used
    + HTTP2: Update local window should not fail queued frames
    + DnsNameResolver: Allways call bind() during bootstrap
    + HTTP: HttpObjectDecoder must not use HTTPMessage once it is
      passed to the next handler in the ChannelPipeline
    + Ensure key / values are shared between resumed sessions
    + SSLSession.getLastAccessedTime() and getCreationTime() should
      not be equal when session is reused
    + Snappy: Use unsigned short to handle 2 ^ 16 input size instead
      of 2 ^ 15
  * Fixes of 4.1.106:
    + HTTP2: Prevent sharing the index of the continuation frame
      header ByteBuf.
    + DnsNameResolver: Fail query if id space is exhausted
    + Short-circuit ByteBuf::release
  * Fixes of 4.1.105:
    + Fix exception on HTTP chunk size overflow
    + Default value of MAX_MESSAGES_PER_READ not used for native
      DatagramChannels
    + Redo fix scalability issue due to checkcast on context's
      invoke operations
    + Be able to retry the query via TCP if a query failed because
      of a timeout
    + Save HTTP 2 pseudo-header lower-case validation
    + DnsNameResolver: Limit connect timeout to query timeout
    + h2: propagate stream close without read pending, avoid SOOE
      if !autoRead
  * Fixes of 4.1.104:
    + dyld: Symbol not found: _netty_jni_util_JNI_OnLoad
  * Fixes of 4.1.103:
    + Workaround for regex bug in Android SDK
    + Use Http2Headers.size() instead of isEmpty()
    + Add support for RISC-V
  * Fixes of 4.1.101:
    + Add service-loaded extension points for channel initialization
    + Added check for pseudo-headers in trailers
    + Automatically close Http2StreamChannel when
      Http2FrameStreamExceptionreaches end ofChannelPipeline
    + Throwing a stackless exception if RST_FRAME rate is exceeded
    + Only enable the RST limit for servers by default
    + Change default value of MAX_MESSAGES_PER_READ for
      DatagramChannel implementations
    + Descriptive message for errors related to unknown http2
      streams
- Modified patches:
  * 0001-Remove-optional-dep-Blockhound.patch
  * 0002-Remove-optional-dep-conscrypt.patch
  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
  * 0004-Disable-Brotli-and-ZStd-compression.patch
  * 0005-Do-not-use-the-Graal-annotations.patch
  * 0006-Do-not-use-the-Jetbrains-annotations.patch
  * 0007-Do-not-require-the-tcnative-native-library.patch
    + rebase

-------------------------------------------------------------------
Wed Feb 21 10:52:04 UTC 2024 - Gus Kenion <gus.kenion@suse.com>

- Use %patch -P N instead of deprecated %patchN.

-------------------------------------------------------------------
Thu Oct 12 15:12:00 UTC 2023 - Fridrich Strba <fstrba@suse.com>

- Upgrade to upstream version 4.1.100
  * Fixes of 4.1.100:
    + DDoS vector in the HTTP/2 protocol due RST frames
      (bsc#1216169, CVE-2023-44487)
    + Do not fail when compressing empty HttpContent
  * Fixes of 4.1.99:
    + Do not try to delete a global handle with the local handles
      APIs
    + Enable build with JDK21
    + dyld: lazy symbol binding failed: Symbol not found:
      _netty_jni_util_JNI_OnLoad
  * Fixes of 4.1.98:
    + Revert "HttpHeaderValidationUtil should reject chars past the
      1 byte range"
    + Filter out unresolved addresses when parsing resolv.conf
    + Prevent classloader leak via JNI
    + SSLSession.getPeerCertificateChain() should throw
      UnsupportedOperationException if javax.security.cert
      .X509Certificate can not be created
    + Enable client side session cache when using native SSL by
      default
  * Fixes of 4.1.97:
    + Fixing AsciiString#lastIndexOf To Respect The offset
    + Add support for snappy http2 content decompression
    + Add support for password-based encryption scheme 2 params
    + HttpHeaderValidationUtil should reject chars past the 1 byte
      range
    + Honor SslHandler.setWrapDataSize greater than SSL packet
      length
    + Add support for snappy http content encoding
  * Fixes of 4.1.96:
    + Move the PoolThreadCache finalizer to a separate object
    + Fix kevent(..) failed: Invalid argument
    + Revert "Always increment Stream Id on createStream" to fix bug
      which caused sending multiple RST frames for the same id
  * Fixes of 4.1.95
    + Add resource leak listener
    + Reduce object allocations during SslHandler.flush(...)
    + Ensure ByteBuf.capacity(...) will never throw AssertionError
    + Make transport.Bootstrap usable with no netty-resolver on
      classpath
    + Correctly retain slice when calling
      ReplayingDecoderByteBuf.retainedSlice(...)
    + Always increment Stream Id on createStream(...)
    + Fix BrotliEncoder bug that does not mark ByteBuf it encodes a
      read
    + Enhance CertificateException message when throw due hostname
      validation
- Rebased patches:
  * 0001-Remove-optional-dep-Blockhound.patch
  * 0002-Remove-optional-dep-conscrypt.patch
  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
  * 0004-Disable-Brotli-and-ZStd-compression.patch
  * 0005-Do-not-use-the-Graal-annotations.patch
  * 0006-Do-not-use-the-Jetbrains-annotations.patch
  * 0007-Do-not-require-the-tcnative-native-library.patch

-------------------------------------------------------------------
Wed Sep 13 04:55:29 UTC 2023 - Fridrich Strba <fstrba@suse.com>

- Reproducible builds: use SOURCE_DATE_EPOCH for timestamp

-------------------------------------------------------------------
Fri Jun 23 08:44:41 UTC 2023 - Fridrich Strba <fstrba@suse.com>

- Upgrade to upstream version 4.1.94
  * Fixes of 4.1.94:
    + Respect offset in
      io.netty.util.NetUtil#toAddressString(byte[], int, boolean)
    + Skip finalization for PoolThreadCache instances without
      small/normal caches
    + Use network byte order when encoding ipv4 address and port
      for Socks codecs
    + Call ReleaseByteArrayElements even when handling of
      socket_path fails to fix small mem leak
    + Always enable leak tracking for derived buffers if parent is
      tracked
    + Release DnsRecords when failing to notify promise
    + Delay possibility to reuse transaction id when query is
      failing because of timeout or cancellation
    + Implement contains for SelectedSelectionKeySet
    + Use Two-Way for finding the delimiter in
      DelimiterBasedFrameDecoder
    + Obtain the local address from the fd when the client connects
      only with remote address (UDS)
    + Allow to limit the maximum lenght of the ClientHello
      (bsc#1212637, CVE-2023-34462)
  * Fixes of 4.1.93:
    + Reset byte buffer in loop for AbstractDiskHttpData.setContent
    + OpenSSL MAX_CERTIFICATE_LIST_BYTES option supported
    + Adapt to DirectByteBuffer constructor in Java 21
    + HTTP/2 encoder: allow HEADER_TABLE_SIZE greater than
      Integer.MAX_VALUE
    + Upgrade to latest netty-tcnative to fix memory leak
    + H2/H2C server stream channels deactivated while write still
      in progress
    + Channel#bytesBefore(un)writable off by 1
    + HTTP/2 should forward shutdown user events to active streams
    + Respect the number of bytes read per datagram when using
      recvmmsg
  * Fixes of 4.1.92:
    + Make Recycler faster on OpenJ9
    + Allow to change the limit for the maximum size of the
      certificate chain.
    + Guard against unbounded grow of suppressed exceptions storage
    + Release websocket handshake response if pipeline checks fail
    + Add support for local and remote addresses on the server for
      child channels when UDS
    + Http types slow path checks
  * Fixes of 4.1.91:
    + Fire a PrematureChannelClosureException when Channel is closed
      while aggregating is still in progress
    + Connect without password if server returns NO_AUTH when using
      Socks5
    + Use optional resolution of sun.net.dns
    + Introduce Http2MultiplexActiveStreamsException that can be
      used to propagate an error to all active streams
    + Use the correct error when reset a stream
    + Update: Add snappy support on HttpContentDecoder
    + Don't unwrap multiple records until we notified the caller
      about the finished handshake
    + Handle EHOSTUNREACH errors in io.netty.channel.unix.Errors
- Depend on netty-tcnative >= 2.0.60 for SSLContext.setMaxCertList
  method.
- Rebased patches:
  * 0001-Remove-optional-dep-Blockhound.patch
  * 0002-Remove-optional-dep-conscrypt.patch
  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
  * 0004-Disable-Brotli-and-ZStd-compression.patch
  * 0005-Do-not-use-the-Graal-annotations.patch
  * 0006-Do-not-use-the-Jetbrains-annotations.patch
  * 0007-Do-not-require-the-tcnative-native-library.patch

-------------------------------------------------------------------
Thu Mar 30 16:49:51 UTC 2023 - Fridrich Strba <fstrba@suse.com>

- Upgrade to upstream version 4.1.90
  * Fixes of 4.1.90:
    + Adding header name of the header which failed validation
    + Fix HttpHeaders.names for non-String headers
    + Save expensive volatile operations in the common hot http
      decoder path
    + Avoid slow type checks against promises on outbound buffer's
      progress
    + Implement NonStickyEventExecutorGroup.inEventLoop
    + Native image: add support for unix domain sockets
    + Use MacOS SDK 10.9 to prevent apple notarization failures
    + Increase errno cache and guard against IOOBE
    + Don't reset BCSSLParameters when setting application protocols
    + WebSocketClientProtocolHandler: add option to disable UTF8
      validation
    + Chunked HTTP length decoding should account for
      whitespaces/ctrl chars
    + Handle NullPointerException thrown from
      NetworkInterface.getNetworkInterfaces()
  * Fixes of 4.1.89:
    + Don't fail on HttpObjectDecoder's maxHeaderSize greater then
      (Integer.MAX_VALUE - 2)
    + dyld: Symbol not found: _netty_jni_util_JNI_OnLoad when
      upgrading from 4.1.87.Final to 4.1.88.Final
  * Fixes of 4.1.88:
    + Speed-up HTTP 1.1 header and line parsing
    + Add StacklessSSLHandshakeException for ClosedChannelException
    + Modify changed CloseWebSocketFrame#statusCode() to change the
      fetch code to unsigned
    + Check if CommandLineTools are installed before trying to
      execute install_name_tool
    + Allow to adjust the GlobalEventExecutor quietPeriod via a
      system property
    + Add SslProvider.isOptionSupported(...)
    + Fix FlowControlHandler's behaviour to pass read events when
      auto-reading is turned off
    + Ensure Http2StreamFrameToHttpObjectCodec#decode doesn't add
      transfer-encoding for 204/304 response
    + Only do extra CNAME query if we couldnt follow the whole CNAME
      chain in the response
    + Include query id when a query failed
    + DnsResolveContext: include expected record types in exception
      message
    + Add necessary native-image configuration files for epoll
    + Create a deep-copy of the Throwable before returning it from
      the cache to prevent possible leaks
    + Always respect completeOncePreferredResolved in
      DnsNameResolver
    + fix brotli compression
    + Optionally depend on bctls-jdk15on
    + Make releasing objects back to Recycler faster
    + Correctly keep track of validExtensions per request / response
    + Add handling of inflight lookups to reduce real queries when
      lookup same hostname
    + DnsQueryContext: include query id and question info in
      exception message
    + AsciiStrings can be batch-encoded
  * Fixes of 4.1.87:
    + Upgrade to latest netty-tcnative release which doesnt link
      libcrypt
    + Add recvmmsg & sendmmsg syscall number for loongarch64
    + Return correct value from SSLSession.getPacketSize() when
      using native SSL implementation
    + Explicit disable TLSv1.3 in the OpenSSL options if not
      supported
    + Support handshake timeout in SniHandler.
    + Extend DNS address supplier interface to provide feedback
  * Fixes of 4.1.86:
    + HAProxyMessageDecoder Stack Exhaustion DoS (bsc#1206360,
      CVE-2022-41881)
    + HTTP Response splitting from assigning header value iterator
      (bsc#1206379, CVE-2022-41915)
    + Revert #12888 for potential task scheduling problems in
      HashedWheelTimer
    + Deprecate ObjectEncoder/ObjectDecoder
    + HPACK dynamic table size update must happen at the beginning
      of the header block
  * Fixes of 4.1.85:
    + A bug in FlowControlHandler that broke auto-read has been
      fixed
    + The HTTP/2 HPACK encoder is now faster at encoding headers
      that have many values
    + A potential memory leak bug has been fixed in the pooled
      allocator
    + Fix an issue with the Blockhound integration, which could
      cause the MacOSDnsServerAddressStreamProvider to be flagged
      as making blocking calls
    + Inconsitencies in how epoll, kqueue, and NIO handle RDHUP have
      been fixed
    + ByteToMessageDecoder now handle situations where the same
      ByteBuf instance is read multiple times
    + The check that ensures the HTTP/1 Content-Length header is
      unique, now no longer causes headers to be rearranged (change
      their order)
    + Fix a NullPointerException bug with class initialisation order
      between InternalLogger and InternalThreadLocalMap
    + When the netty-resolver-dns-native-macos classes can't load
      their native bindings, they now only print a short error
      message instead of the huge stack trace it printed previously.
      The stack trace is still included if DEBUG logging is enabled
    + The Graal native-image meta-data is now placed in the
      recommended location, and no longer causes warnings to be
      printed
    + The HTTP/1 and HTTP/2 codecs now properly support RFC 8297
      Early Hints
    + Subclasses of FastThreadLocalThread can now tell the Netty
      Blockhound integration that they should be allowed to make
      blocking calls
    + Validation of HTTP/2 connection headers have been moved from
      Http2Headers to HpackDecoder, so that outgoing headers are
      not validated
  * Fixes of 4.1.84:
    + HTTP/2 header values with invalid characters are now rejected
      in header validation
    + We now automatically generate conditional meta-data for
      native-image use, making GraalVM support more reliable
    + Fix a scalability issue caused by instanceof and check-cast
      checks that lead to false-sharing on the
      Klass::secondary_super_cache field in the JVM
      (See JDK-8180450)
    + Made the HTTP/2 HPACK static table implementation faster by
      using a perfect hash function
    + Fixed a bug in our PEMParser when PEM files have multiple
      objects, and BouncyCastle is on the classpath
  * Fixes of 4.1.82:
    + Fix a NullPointerException bug when calling forEachByte on
      nested CompositeByteBufs
    + Relax an overly strict HTTP/2 header validation check that was
      rejecting requests from Chrome and Firefox
    + The OpenSSL and BoringSSL implementations now respect the
      jdk.tls.client.protocols and jdk.tls.server.protocols system
      properties, making them react to these in the same way the JDK
      SSL provider does
  * Fixes of 4.1.81:
    + Fix a regression SslContext private key loading
    + Fix a bug in SslContext private key reading fall-back path
    + Fix a buffer leak regression in HttpClientCodec
    + Fix a bug where some HttpMessage implementations, that also
      implement HttpContent, were not handled correctly
    + The MessageFormatter and FormattingTuple classes are now
      usable in the public API
    + Connection related headers in HTTP/2 frames are now rejected,
      in compliance with the specification
  * Fixes of 4.1.80:
    + HttpObjectEncoder scalability issue due to instanceof checks
    + Improve logging when MacOSDnsServerAddressStreamProvider
      cannot be found/loaded
    + Replace stdlib write/read with send/recv
    + Support for pkcs1
    + Add Blockhound exceptions for the PooledByteBufAllocator
    + Fix epoll bug when receiving zero-sized datagrams
    + Avoid including header values in header validation failure
      exceptions
    + Avoid allocating large buffers in JdkZlibEncoder
    + Native Image Support: Set
      IS_EXPLICIT_TRY_REFLECTION_SET_ACCESSIBLE to true by default
      for native images
    + We need to use disconnectx(...) on macOS
    + Replace synchronized with Java Locks on the allocator
    + Don't use static instances of FixedRecvByteBufAllocator
    + Add escaping for stomp headers
  * Fixes of 4.1.79:
    + The PEM certificate parser is no longer susceptible to
      exponential back-off
    + Non-standard extra ampersands in HTTP POST bodies are no
      longer rejected
    + An io.netty.osClassifiers system property has been added to
      avoid reading os-release files
    + Fix a bug in SslHandler so handlerRemoved works properly even
      if handlerAdded throws an exception
    + Use the correct OSGi processor directive on aarch64, making it
      possible to use OSGi on ARM
    + HTTP paths that begin with a double-slash are now parsed the
      same way browsers do
    + The isCompleted flag is now correctly preserved on objects
      from HttpData.retainedDuplicate()
    + The HttpUtil.isOriginForm() and isAsteriskForm() methods now
      correctly conform with RFC 7230
    + Fix an issue that allowed the multicast methods on
      EpollDatagramChannel to be called outside of an event-loop
      thread
    + Support for the LoongArch64 processor architecture has been
      added
  * Fixes of 4.1.78:
    + Fix a bug where an OPT record was added to DNS queries that
      already had such a record
    + Fix a bug that caused an error when files uploaded with HTTP
      POST contained a backslash in their name
    + Fix an issue in the BlockHound integration that could
      occasionally cause NetUtil to be reported as performing
      blocking operations
    + A similar BlockHound issue was fixed for the JdkSslContext
    + Fix a bug that prevented preface or settings frames from
      being flushed, when an HTTP2 connection was established with
      prior-knowledge
    + Fixes a rare NullPointerException that could occur when a
      ReferenceCountedOpenSslEngine threw an OutOfMemoryError from
      its constructor, and was then later finalized
    + The SslHandler now adds the socket file descriptor to the
      BIOs, when the SslEngine supports this (boringssl and
      libressl), which allow tracing and observability tools to
      monitor encryption traffic on a per-connection basis.
    + It is now possible to explicitly step the scheduling clock in
      EmbeddedEventLoop, which is useful for making automated tests
      with deterministic scheduling
  * Fixes of 4.1.77:
    + Local Information Disclosure Vulnerability in Netty on
      Unix-Like systems due temporary files for Java 6 and lower in
      io.netty:netty-codec-http (bsc#1199338, CVE-2022-24823)
    + Upgraded the optional netty-tcnative dependency to version
      2.0.52.Final
    + Fix a bug where Netty fails to load a shaded native library
    + Include classifier in Automatic-Module-Name
    + Check if epoll_pwait2 is implemented
    + Don't call strdup on packagePrefix
    + Enable debugging of asynchronous tasks in Intellij
    + Throwing an exception in case glibc is missing instead of
      segfaulting the JVM
  * Fixes of 4.1.76:
    + Upgraded the optional netty-tcnative dependency to version
      2.0.51.Final
    + Upgraded the optional log4j dependency to version 2.17.2
    + The netty-all module now declare an automatic module name,
      making it useable with Java Modules.
    + It is now possible to configure arbitrary socket options for
      the native epoll and kqueue transports. Refer to your
      operating system documentation for what options are available.
    + It is now possible to explicitly bind channels to either IPv4
      or IPv6.
    + The HTTP/2 header validation that rejects duplicate
      pseudo-headers, which was added in 4.1.75.Final, has been
      changed so it no longer breaks older versions of gRPC.
    " Fix a NullPointerException that was hiding the real cause of
      certain HTTP/2 header decoding errors.
- Modified patches:
  * 0001-Remove-optional-dep-Blockhound.patch
  * 0002-Remove-optional-dep-conscrypt.patch
  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
  * no-brotli-zstd.patch
    -> 0004-Disable-Brotli-and-ZStd-compression.patch
  * no-werror.patch
    + rebase
- Removed patches:
  * 0004-Remove-optional-dep-tcnative.patch
  * 0005-Remove-optional-dep-log4j.patch
    + we have the dependencies, so no need to disable them
  * 0006-revert-Fix-native-image-build.patch
  * 0007-Revert-Support-session-cache-for-client-and-server-w.patch
    + solve the build breakages differently
- Added patches:
  * 0005-Do-not-use-the-Graal-annotations.patch
  * 0006-Do-not-use-the-Jetbrains-annotations.patch
    + do not use annotations for which we don't have dependencies
  * 0007-Do-not-require-the-tcnative-native-library.patch
    + our tcnative library is installed system-wide

-------------------------------------------------------------------
Thu Oct 13 11:21:47 UTC 2022 - Fridrich Strba <fstrba@suse.com>

- Force building with java 11 on ix86 in order to avoid random
  build failures

-------------------------------------------------------------------
Fri Apr  8 07:27:55 UTC 2022 - Fridrich Strba <fstrba@suse.com>

- Upgrade to latest upstream version 4.1.75
- Modified patches:
  * 0001-Remove-optional-dep-Blockhound.patch
  * 0002-Remove-optional-dep-conscrypt.patch
  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
  * 0004-Remove-optional-dep-tcnative.patch
  * 0005-Remove-optional-dep-log4j.patch
  * 0006-revert-Fix-native-image-build.patch
  * 0007-Revert-Support-session-cache-for-client-and-server-w.patch
    + rebase

-------------------------------------------------------------------
Tue Feb 22 18:27:07 UTC 2022 - Fridrich Strba <fstrba@suse.com>

- Do not build against the log4j12 packages

-------------------------------------------------------------------
Tue Dec 14 06:31:10 UTC 2021 - Fridrich Strba <fstrba@suse.com>

- Upgrade to latest upstream version 4.1.72
  * fixes: bsc#1190610, CVE-2021-37136: Bzip2Decoder doesn't allow
    setting size restrictions for decompressed data
  * fixes: bsc#1190613, CVE-2021-37137: SnappyFrameDecoder doesn't
    restrict chunk length any may buffer skippable chunks in an
    unnecessary way
  * fixes: bsc#1193672, CVE-2021-43797: possible HTTP request
    smuggling due to insufficient validation against control
    characters
  * fixes: bsc#1184203, CVE-2021-21409: request smuggling via
    content-length header
- Modified patches:
  * 0001-Remove-optional-dep-Blockhound.patch
  * 0002-Remove-optional-dep-conscrypt.patch
  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
  * 0004-Remove-optional-dep-tcnative.patch
  * 0005-Remove-optional-dep-log4j.patch
  * 0006-revert-Fix-native-image-build.patch
  * 0007-Revert-Support-session-cache-for-client-and-server-w.patch
  * no-werror.patch
    + rediff to changed context
- Added patch:
  * no-brotli-zstd.patch
    + disable Brotli and Zstd compression, since we lack
      the dependencies needed to build them

-------------------------------------------------------------------
Fri Mar 12 08:31:56 UTC 2021 - Fridrich Strba <fstrba@suse.com>

- Upgrade to latest upstream version 4.1.60
  * fixes: bsc#1183262, CVE-2021-21295: HTTP/2 request
    Content-Length header field is not validated by
    'Http2MultiplexHandler'
- Modified patches:
  * 0001-Remove-optional-dep-Blockhound.patch
  * 0002-Remove-optional-dep-conscrypt.patch
  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
  * 0004-Remove-optional-dep-tcnative.patch
  * 0005-Remove-optional-dep-log4j.patch
  * 0006-revert-Fix-native-image-build.patch
    + rediff to changed context
- Added patch:
  * 0007-Revert-Support-session-cache-for-client-and-server-w.patch
    + revert optional disabled cache implementation that conflicts
      with our 0004-Remove-optional-dep-tcnative.patch

-------------------------------------------------------------------
Thu Feb 11 12:00:22 UTC 2021 - Fridrich Strba <fstrba@suse.com>

- Upgrade to latest upstream version 4.1.59
- Removed patches:
  * netty-CVE-2020-11612.patch
  * netty-CVE-2021-21290.patch
    + fixes integrated in the upstream sources
  * 0001-Remove-OpenSSL-parts-depending-on-tcnative.patch
  * 0002-Remove-NPN.patch
  * 0003-Remove-conscrypt-ALPN.patch
  * 0004-Remove-jetty-ALPN.patch
    + replaced by new patches
- Added patches:
  * 0001-Remove-optional-dep-Blockhound.patch
  * 0002-Remove-optional-dep-conscrypt.patch
  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
  * 0004-Remove-optional-dep-tcnative.patch
  * 0005-Remove-optional-dep-log4j.patch
    + remove various optional dependencies that we do not need
  * 0006-revert-Fix-native-image-build.patch
    + Revert changes that introduce a new dependency that we
      do not have
  * no-werror.patch
    + Do not treat warnings as errors
- Build -poms and -javadoc as noarch packages, since they do not
  install anything in arch-dependent directories

-------------------------------------------------------------------
Thu Feb 11 09:20:25 UTC 2021 - Fridrich Strba <fstrba@suse.com>

- Added patch:
  * netty-CVE-2021-21290.patch
    + bsc#1182103, CVE-2021-21290

-------------------------------------------------------------------
Thu Apr  9 07:54:00 UTC 2020 - Fridrich Strba <fstrba@suse.com>

- Added patch:
  * netty-CVE-2020-11612.patch
    + bsc#1168932, CVE-2020-11612
    + bsc#1169082, CVE-2020-10707

-------------------------------------------------------------------
Thu Jan  9 15:14:41 UTC 2020 - Fridrich Strba <fstrba@suse.com>

- Split pom-only artifacts into a subpackage netty-pom in order
  to generate their dependencies correctly

-------------------------------------------------------------------
Wed Nov 13 19:18:57 UTC 2019 - Fridrich Strba <fstrba@suse.com>

- Initial packaging of netty 4.1.13

Places

File netty.changes of Package netty.33151

Places