netty (1:3.2.6.Final-2+deb8u2) jessie-security; urgency=medium

  * Non-maintainer upload by the Debian LTS Security Team.
  * CVE-2019-20444: HttpObjectDecoder.java allows an HTTP header that
    lacks a colon, which might be interpreted as a separate header
    with an incorrect syntax, or might be interpreted as an "invalid
    fold."
  * CVE-2019-20445: HttpObjectDecoder.java allows a Content-Length
    header to be accompanied by a second Content-Length header, or by
    a Transfer-Encoding header.
  * CVE-2020-7238: Netty allows HTTP Request Smuggling because it
    mishandles Transfer-Encoding whitespace (such as a
    [space]Transfer-Encoding:chunked line) and a later Content-Length
    header.

 -- Sylvain Beucler <beuc@debian.org>  Wed, 19 Feb 2020 17:44:45 +0100

netty (1:3.2.6.Final-2+deb8u1) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS team.
  * CVE-2019-16869: Correctly handle whitespaces in HTTP header names as defined
    by RFC7230#section-3.2.4.
  * debian/control:
    + Drop 'DM-Upload-Allowed: yes' field. Not supported in jessie anymore.
      (The netty src:pkg never got updated during the jessie release cycle).
  * debian/build.xml:
    + Enable deprecations. Fixes FTBFS against OpenJDK in Debian jessie LTS.

 -- Mike Gabriel <sunweaver@debian.org>  Fri, 27 Sep 2019 15:13:36 +0200

netty (1:3.2.6.Final-2) unstable; urgency=low

  * Merge from James Page (thanks!):
  * Enable test suite to support Ubuntu MIR (LP: #913878) (Closes: #658250):
    - d/build.xml: Add extra targets to compile and execute unit tests.
    - d/rules: Add testing dependencies to build classpath.
    - d/control: Added junit4 and libeasymock-java to BDI's and ant-optional
      to BD's.
  * d/orig-tar.sh; Dropped - not used.

 -- Damien Raude-Morvan <drazzib@debian.org>  Sun, 12 Feb 2012 12:43:50 +0100

netty (1:3.2.6.Final-1) unstable; urgency=low

  * New upstream release (Closes: #643832):
    - Update watch file for github.
  * Add myself to Uploaders.
  * Use maven-repo-helper to install jar.
  * Bump to Standards-Version to 3.9.2:
    - Provide a get-orig-source target.
    - Drop Depends on default-jre-headless.
    - Drop XSBC-* fields (Ubuntu specific)
    - Add Homepage field.
    - Add Vcs-* fields.
  * Use debhelper 7 compat level.
  * Fix copyright:
    - now under Apache-2.0 licence.
    - update to DEP-5.
  * Switch to 3.0 (quilt) source format.
  * Add Recommends on logging frameworks.

 -- Damien Raude-Morvan <drazzib@debian.org>  Wed, 23 Nov 2011 21:14:19 +0100

netty (1:3.1.0.CR1-1) unstable; urgency=low

  * Port package to pkg-java based largely on existing Ubuntu package
  * Pull sources from svn to build orig tarball avoiding DFSG non-compliance
  * debian/copyright, debian/README.source: Update to reflect DFSG-compliant
    packaging.

 -- Chris Grzegorczyk <grze@eucalyptus.com>  Thu, 17 Dec 2009 03:12:31 -0800

netty (3.1.0.CR1+dfsg-0ubuntu1) karmic; urgency=low

  * Repackaged orig tarball to avoid shipping sourceless doc/ elements.
  * debian/copyright, debian/README.source: Explain repacking.

 -- Thierry Carrez <thierry.carrez@ubuntu.com>  Wed, 26 Aug 2009 15:13:13 +0200

netty (3.1.0.CR1-0ubuntu1) karmic; urgency=low

  * Initial release. New Eucalyptus dependency.

 -- Thierry Carrez <thierry.carrez@ubuntu.com>  Tue, 21 Jul 2009 16:48:12 +0200
