netty (1:4.1.7-2+deb9u3) stretch-security; urgency=high

  * CVE-2021-21290: Prevent an insecure temporary file issue that could lead to
    disclosure of arbitrary local files.

 -- Chris Lamb <lamby@debian.org>  Thu, 11 Feb 2021 12:54:48 +0000

netty (1:4.1.7-2+deb9u2) stretch-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * Detect missing colon when parsing http headers with no value
    (CVE-2019-20444) (Closes: #950966)
  * Correctly handle Content-Length header that is accompanied by a second
    Content-Length header, or by a Transfer-Encoding header, by removing the 
    extra Content-Length header. (CVE-2019-20445) (Closes: #950967)
  * Prevent denial of service resulting from unbounded memory allocation while
    decoding a ZlibEncoded byte stream, whereby an attacker could send a large
    ZlibEncoded byte stream to the Netty server, forcing the server to allocate
    all of its free memory to a single decoder. (CVE-2020-11612)

 -- Roberto C. Sanchez <roberto@debian.org>  Mon, 24 Aug 2020 16:17:17 -0400

netty (1:4.1.7-2+deb9u1) stretch-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Correctly handle whitespaces in HTTP header names as defined by
    RFC7230#section-3.2.4 (CVE-2019-16869) (Closes: #941266)

 -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 02 Jan 2020 23:46:59 +0100

netty (1:4.1.7-2) unstable; urgency=medium

  * Team upload.
  * Fixed the netty-all pom (Closes: #852255)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 23 Jan 2017 09:32:14 +0100

netty (1:4.1.7-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Build the new modules: codec-dns, codec-http2, codec-memcache,
      codec-mqtt, codec-redis, codec-smtp, codec-stomp, handler-proxy,
      resolver-dns and resolver
    - Ignore the new codec-xml module (missing dependency)
    - New dependency: groovy, libcompress-lzf-java, libgoogle-gson-java
    - Adapted codegen.groovy to run without the groovy-maven-plugin
    - Ignore the new test dependencies
    - Disabled lz4, lzma and protobuf nano support due to missing dependencies

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 16 Jan 2017 09:14:21 +0100

netty (1:4.0.42-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Switch to debhelper level 10

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 30 Oct 2016 00:12:28 +0200

netty (1:4.0.41-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Depend on netty-tcnative (>= 1.1.33.Fork21)

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 30 Aug 2016 08:52:52 +0200

netty (1:4.0.40-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - New dependency on libjctools-java
    - New build dependency on libmaven-shade-plugin-java
  * Build the netty-transport-native-epoll module
  * Depend on ant-contrib >= 1.0~b3+svn177-8 and dropped the dependency
    on libbcel-java

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 03 Aug 2016 01:04:26 +0200

netty (1:4.0.37-1) unstable; urgency=high

  * Team upload.
  * New upstream release. (Closes: #827620) CVE-2016-4970
  * Add build-dependency on liblog4j2-java.

 -- tony mancill <tmancill@debian.org>  Sat, 18 Jun 2016 14:45:03 -0700

netty (1:4.0.36-2) unstable; urgency=medium

  * Team upload.
  * Removed the empty classifier for the tcnative dependency since it breaks
    the Gradle dependencies resolution

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 24 May 2016 00:45:11 +0200

netty (1:4.0.36-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Depend on libasm-java (>= 5.0) instead of libasm4-java
  * Standards-Version updated to 3.9.8 (no changes)

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 24 Apr 2016 19:20:27 +0200

netty (1:4.0.35-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Updated the Maven rules
  * Standards-Version updated to 3.9.7 (no changes)
  * Use secure Vcs-* fields

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 28 Mar 2016 23:03:36 +0200

netty (1:4.0.34-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Depend on netty-tcnative (>= 1.1.33.Fork11)
  * Build with the DH sequencer instead of CDBS
  * Made the versions.properties embedded in the jar files reproducible

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 31 Jan 2016 23:39:15 +0100

netty (1:4.0.33-1) unstable; urgency=medium

  * Team upload.
  * New upstream release

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 19 Nov 2015 23:37:59 +0100

netty (1:4.0.32-1) unstable; urgency=medium

  * Team upload.
  * New upstream release:
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 03 Oct 2015 01:12:58 +0200

netty (1:4.0.31-1) unstable; urgency=medium

  * Team upload.

  [ Emmanuel Bourg ]
  * New upstream release:
    - Build with maven-debian-helper
    - Fixes CVE-2015-2156 (Closes: #796114)
  * debian/control:
    - Team maintenance by Debian Java Maintainers
    - Standards-Version updated to 3.9.6 (no changes)
    - Removed the deprecated DM-Upload-Allowed field
  * debian/watch: Track the release tags on GitHub
  * Moved the package to Git
  * Switch to debhelper level 9

  [ Charles Plessy ]
  * Updated homepage (debian/control).

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 12 Sep 2015 23:26:11 +0200

netty (1:3.2.6.Final-2) unstable; urgency=low

  * Merge from James Page (thanks!):
  * Enable test suite to support Ubuntu MIR (LP: #913878) (Closes: #658250):
    - d/build.xml: Add extra targets to compile and execute unit tests.
    - d/rules: Add testing dependencies to build classpath.
    - d/control: Added junit4 and libeasymock-java to BDI's and ant-optional
      to BD's.
  * d/orig-tar.sh; Dropped - not used.

 -- Damien Raude-Morvan <drazzib@debian.org>  Sun, 12 Feb 2012 12:43:50 +0100

netty (1:3.2.6.Final-1) unstable; urgency=low

  * New upstream release (Closes: #643832):
    - Update watch file for github.
  * Add myself to Uploaders.
  * Use maven-repo-helper to install jar.
  * Bump to Standards-Version to 3.9.2:
    - Provide a get-orig-source target.
    - Drop Depends on default-jre-headless.
    - Drop XSBC-* fields (Ubuntu specific)
    - Add Homepage field.
    - Add Vcs-* fields.
  * Use debhelper 7 compat level.
  * Fix copyright:
    - now under Apache-2.0 licence.
    - update to DEP-5.
  * Switch to 3.0 (quilt) source format.
  * Add Recommends on logging frameworks.

 -- Damien Raude-Morvan <drazzib@debian.org>  Wed, 23 Nov 2011 21:14:19 +0100

netty (1:3.1.0.CR1-1) unstable; urgency=low

  * Port package to pkg-java based largely on existing Ubuntu package
  * Pull sources from svn to build orig tarball avoiding DFSG non-compliance
  * debian/copyright, debian/README.source: Update to reflect DFSG-compliant
    packaging.

 -- Chris Grzegorczyk <grze@eucalyptus.com>  Thu, 17 Dec 2009 03:12:31 -0800

netty (3.1.0.CR1+dfsg-0ubuntu1) karmic; urgency=low

  * Repackaged orig tarball to avoid shipping sourceless doc/ elements.
  * debian/copyright, debian/README.source: Explain repacking.

 -- Thierry Carrez <thierry.carrez@ubuntu.com>  Wed, 26 Aug 2009 15:13:13 +0200

netty (3.1.0.CR1-0ubuntu1) karmic; urgency=low

  * Initial release. New Eucalyptus dependency.

 -- Thierry Carrez <thierry.carrez@ubuntu.com>  Tue, 21 Jul 2009 16:48:12 +0200
