Debian Bug report logs -
#1010693
netty: CVE-2022-24823
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1010693; Package src:netty.
(Sat, 07 May 2022 14:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 07 May 2022 14:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: netty
Version: 1:4.1.48-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for netty.
CVE-2022-24823[0]:
| Netty is an open-source, asynchronous event-driven network application
| framework. The package `io.netty:netty-codec-http` prior to version
| 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When
| Netty's multipart decoders are used local information disclosure can
| occur via the local system temporary directory if temporary storing
| uploads on the disk is enabled. This only impacts applications running
| on Java version 6 and lower. Additionally, this vulnerability impacts
| code running on Unix-like systems, and very old versions of Mac OSX
| and Windows as they all share the system temporary directory between
| all users. Version 4.1.77.Final contains a patch for this
| vulnerability. As a workaround, specify one's own `java.io.tmpdir`
| when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to
| set the directory to something that is only readable by the current
| user.
Note as far I understand the insufficient fix impacts only netty in
combination with Java versions 6 and lower, so not of practical impact
for the supported suites. That said, there is likely not action to be
taken directly for the versions in Debian, and just can be closed once
the commit [2] lands in the version.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823
[1] https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
[2] https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun May 8 13:11:19 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon