Debian Bug report logs -
#1027180
netty: CVE-2022-41915 CVE-2022-41881
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#1027180
; Package src:netty
.
(Wed, 28 Dec 2022 22:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Wed, 28 Dec 2022 22:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: netty
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for netty.
CVE-2022-41915[0]:
| Netty project is an event-driven asynchronous network application
| framework. In versions prior to 4.1.86.Final, when calling
| `DefaultHttpHeadesr.set` with an _iterator_ of values, header value
| validation was not performed, allowing malicious header values in the
| iterator to perform HTTP Response Splitting. This issue has been
| patched in version 4.1.86.Final. Integrators can work around the issue
| by changing the `DefaultHttpHeaders.set(CharSequence,
| Iterator<?>)` call, into a `remove()` call, and call `add()` in
| a loop over the iterator of values.
https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp
CVE-2022-41881[1]:
| Netty project is an event-driven asynchronous network application
| framework. In versions prior to 4.1.86.Final, a StackOverflowError can
| be raised when parsing a malformed crafted message due to an infinite
| recursion. This issue is patched in version 4.1.86.Final. There is no
| workaround, except using a custom HaProxyMessageDecoder.
https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-41915
https://www.cve.org/CVERecord?id=CVE-2022-41915
[1] https://security-tracker.debian.org/tracker/CVE-2022-41881
https://www.cve.org/CVERecord?id=CVE-2022-41881
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 29 Dec 2022 08:15:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Dec 29 16:36:19 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.