Debian Bug report logs -
#982580
netty: CVE-2021-21290
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 12 Feb 2021 06:45:01 UTC
Severity: important
Tags: security, upstream
Found in versions netty/1:4.1.48-1, netty/1:4.1.33-1, netty/1:4.1.33-1+deb10u1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#982580; Package src:netty.
(Fri, 12 Feb 2021 06:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 12 Feb 2021 06:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: netty
Version: 1:4.1.48-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1:4.1.33-1+deb10u1
Control: found -1 1:4.1.33-1
Hi,
The following vulnerability was published for netty.
CVE-2021-21290[0]:
| Netty is an open-source, asynchronous event-driven network application
| framework for rapid development of maintainable high performance
| protocol servers & clients. In Netty before version 4.1.59.Final
| there is a vulnerability on Unix-like systems involving an insecure
| temp file. When netty's multipart decoders are used local information
| disclosure can occur via the local system temporary directory if
| temporary storing uploads on the disk is enabled. On unix-like
| systems, the temporary directory is shared between all user. As such,
| writing to this directory using APIs that do not explicitly set the
| file/directory permissions can lead to information disclosure. Of
| note, this does not impact modern MacOS Operating Systems. The method
| "File.createTempFile" on unix-like systems creates a random file, but,
| by default will create this file with the permissions "-rw-r--r--".
| Thus, if sensitive information is written to this file, other local
| users can read this information. This is the case in netty's
| "AbstractDiskHttpData" is vulnerable. This has been fixed in version
| 4.1.59.Final. As a workaround, one may specify your own
| "java.io.tmpdir" when you start the JVM or use
| "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to
| something that is only readable by the current user.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21290
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21290
[1] https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
[2] https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions netty/1:4.1.33-1+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 12 Feb 2021 06:45:04 GMT) (full text, mbox, link).
Marked as found in versions netty/1:4.1.33-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 12 Feb 2021 06:45:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Feb 12 08:02:59 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon