Debian Bug report logs -
#827620
netty: CVE-2016-4970: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 18 Jun 2016 18:54:01 UTC
Severity: important
Tags: security, upstream
Found in version netty/1:4.0.36-2
Fixed in version netty/1:4.0.37-1
Done: tony mancill <tmancill@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#827620; Package src:netty.
(Sat, 18 Jun 2016 18:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 18 Jun 2016 18:54:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: netty
Version: 1:4.0.36-2
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for netty. Can you please
double-check this issue. According the upstream all versions
4.0.0.Final - 4.0.36.Final and 4.1.0.Final would be affected, and
fixed in 4.1.1.Final, according to [1].
CVE-2016-4970[0]:
Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-4970
[1] http://netty.io/news/2016/06/07/4-1-1-Final.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#827620; Package src:netty.
(Sat, 18 Jun 2016 22:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 18 Jun 2016 22:21:03 GMT) (full text, mbox, link).
Message #10 received at 827620@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 06/18/2016 11:51 AM, Salvatore Bonaccorso wrote:
> Source: netty
> Version: 1:4.0.36-2
> Severity: important
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for netty. Can you please
> double-check this issue. According the upstream all versions
> 4.0.0.Final - 4.0.36.Final and 4.1.0.Final would be affected, and
> fixed in 4.1.1.Final, according to [1].
>
> CVE-2016-4970[0]:
> Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-4970
> [1] http://netty.io/news/2016/06/07/4-1-1-Final.html
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
Hi Salvatore,
Based on the notes in [2], I have uploaded 4.0.37 to unstable, which
should take care of the CVE in unstable and testing. This will give the
Java Team a moment to discuss strategy regarding 4.0.x vs. 4.1.x.
I haven't seen any information as to whether this vulnerability also
affects the version in stable, 3.2.6.
Cheers,
tony
[2] http://netty.io/news/2016/06/07/4-0-37-Final.html
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to tony mancill <tmancill@debian.org>:
You have taken responsibility.
(Sat, 18 Jun 2016 22:27:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 18 Jun 2016 22:27:10 GMT) (full text, mbox, link).
Message #15 received at 827620-close@bugs.debian.org (full text, mbox, reply):
Source: netty
Source-Version: 1:4.0.37-1
We believe that the bug you reported is fixed in the latest version of
netty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 827620@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated netty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 Jun 2016 14:45:03 -0700
Source: netty
Binary: libnetty-java
Architecture: source all
Version: 1:4.0.37-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Description:
libnetty-java - Java NIO client/server socket framework
Closes: 827620
Changes:
netty (1:4.0.37-1) unstable; urgency=high
.
* Team upload.
* New upstream release. (Closes: #827620) CVE-2016-4970
* Add build-dependency on liblog4j2-java.
Checksums-Sha1:
c6ce62e0e456fe0c6e7f0bcad92f058ed7df4bc3 2430 netty_4.0.37-1.dsc
e5c52af4c671b8ef527d8db254f8cfa3784a4ce1 869792 netty_4.0.37.orig.tar.xz
54e0935f183a63c107e1a5afdb038e1086993fb0 7344 netty_4.0.37-1.debian.tar.xz
09b636dfa61bb8c0e2594e22dda79172b54e2790 1814470 libnetty-java_4.0.37-1_all.deb
Checksums-Sha256:
eb0b86676a9feb06c29b65e23d2c8d2e86d0b821338068b75187416f01dea0e9 2430 netty_4.0.37-1.dsc
97b8bc67d6f346ec277707a012ed39bf63783c8ebeb98b5ab8dd144844496cc4 869792 netty_4.0.37.orig.tar.xz
1b9902517caa5c6dabd26b45644eb53efb10af2396bf282c2b24d0a6144ca4eb 7344 netty_4.0.37-1.debian.tar.xz
5d2e2dca96307135edceddf0cb88af6b6621603eef298e3f599158e99f8d5bb3 1814470 libnetty-java_4.0.37-1_all.deb
Files:
a980a02bb367e0f756c7ade58f52b95e 2430 java optional netty_4.0.37-1.dsc
c2b96f11cb689ea4e85256d9b5c38a2e 869792 java optional netty_4.0.37.orig.tar.xz
1984a70124c0e6ceb5f32e66a4558e33 7344 java optional netty_4.0.37-1.debian.tar.xz
82747c3e2fb11abb6c28662781bf1ef5 1814470 java optional libnetty-java_4.0.37-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXZcLgAAoJECHSBYmXSz6WAt8QALfMwy7Gw4WxNuGXzWoOgaSL
X0rUqYuReI1nXXMRc8Ch4jjlZd67LVfqIXsyFhTYFVxsta8YYECg+6X3xCqGtDs+
anoySTDx10etz0nRg3LAMdMrxwKvtOGK5lQDjZBKG/XJa33C9/reSuMPGxpJ1XI1
+bCt9vpACXsJd6t5yxBQnJ6VEw34moI1AOQ1NDOsmLmgoi8zTJ7FeL8d34Nlvjwq
PesMTie69WHLH62Mx8d6DpCthiGwLoQEMSeBBdmk6aZ70T5VPJ9hZQUIj/9A3PIm
/1RcYKBdhCNP590h88TvS2N5PA5W3l8ony58J+k2ufONuLDKoLNja16IwUUmfBaX
004BRzR4wbK40i0tTz1PJ0k5ONdHLtY4xhS60LFMzMF+PAkqgepSI9JlfMnSYVxl
9mdyfoDvDwsC+RRvixUFRntKcq8xO1HvO+LPQ/Rav+lOV5KwnXcB/ubKdNsj7/Qv
wEOp1VZGVeKvAGAybtyYQ0w+nmgeID6JtXodZbO3iZIgKRsfAZy0TpsrMow0QImZ
yrXaBwVeE3uFflr6++TD6cFue5dIqcJZc6a1VxnGgH6QM5GhDls7lFB/fLRaV5U5
jCMMLEWQ/V7vGi3MvnYgOFJLMfe6cUpoHefssl113rvEY//xT6t/g7dSwcgz9atS
+46bqW/q+QOdlX8l12Ef
=gQrd
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#827620; Package src:netty.
(Mon, 20 Jun 2016 08:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Emmanuel Bourg <ebourg@apache.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 20 Jun 2016 08:09:04 GMT) (full text, mbox, link).
Message #20 received at 827620@bugs.debian.org (full text, mbox, reply):
Le 19/06/2016 à 00:18, tony mancill a écrit :
> I haven't seen any information as to whether this vulnerability also
> affects the version in stable, 3.2.6.
I don't think Jessie is affected, the vulnerable code relies on
netty-tcnative which is in testing/unstable only. The OpenSSL
integration didn't seem to exist in netty 3.2.x.
Emmanuel Bourg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#827620; Package src:netty.
(Mon, 20 Jun 2016 09:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 20 Jun 2016 09:09:04 GMT) (full text, mbox, link).
Message #25 received at 827620@bugs.debian.org (full text, mbox, reply):
Hi Emmanuel,
On Mon, Jun 20, 2016 at 10:07:04AM +0200, Emmanuel Bourg wrote:
> Le 19/06/2016 à 00:18, tony mancill a écrit :
>
> > I haven't seen any information as to whether this vulnerability also
> > affects the version in stable, 3.2.6.
>
> I don't think Jessie is affected, the vulnerable code relies on
> netty-tcnative which is in testing/unstable only. The OpenSSL
> integration didn't seem to exist in netty 3.2.x.
Thanks for confirming!
Regards,
Salvatore
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 19 Jul 2016 07:29:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:28:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon