Your message dated Mon, 16 Jan 2023 19:02:37 +0000 with message-id <e1phukf-00gr7j...@fasolo.debian.org> and subject line Bug#1027180: fixed in netty 1:4.1.48-4+deb11u1 has caused the Debian Bug report #1027180, regarding netty: CVE-2022-41915 CVE-2022-41881 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1027180: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027180 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: netty X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for netty. CVE-2022-41915[0]: | Netty project is an event-driven asynchronous network application | framework. In versions prior to 4.1.86.Final, when calling | `DefaultHttpHeadesr.set` with an _iterator_ of values, header value | validation was not performed, allowing malicious header values in the | iterator to perform HTTP Response Splitting. This issue has been | patched in version 4.1.86.Final. Integrators can work around the issue | by changing the `DefaultHttpHeaders.set(CharSequence, | Iterator<?>)` call, into a `remove()` call, and call `add()` in | a loop over the iterator of values. https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp CVE-2022-41881[1]: | Netty project is an event-driven asynchronous network application | framework. In versions prior to 4.1.86.Final, a StackOverflowError can | be raised when parsing a malformed crafted message due to an infinite | recursion. This issue is patched in version 4.1.86.Final. There is no | workaround, except using a custom HaProxyMessageDecoder. https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-41915 https://www.cve.org/CVERecord?id=CVE-2022-41915 [1] https://security-tracker.debian.org/tracker/CVE-2022-41881 https://www.cve.org/CVERecord?id=CVE-2022-41881 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: netty Source-Version: 1:4.1.48-4+deb11u1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of netty, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1027...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated netty package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 11 Jan 2023 21:00:08 CET Source: netty Architecture: source Version: 1:4.1.48-4+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Checksums-Sha1: 00616bfdebb1cd348d75a16f0a63ab82d4e784e4 2622 netty_4.1.48-4+deb11u1.dsc 022ad0c0c76dd4ba14b1e44d11cf0b99f0feeb2b 1665244 netty_4.1.48.orig.tar.xz ede1620eea8c78a7d240fa3882b99e55597efd61 33004 netty_4.1.48-4+deb11u1.debian.tar.xz cb9ef460ab8870f322e3bce707a1924250c23b86 14818 netty_4.1.48-4+deb11u1_amd64.buildinfo Checksums-Sha256: ddfca8c380aa2425ad7fc481a1615c74d486bd32d20154546635c5777bb423a8 2622 netty_4.1.48-4+deb11u1.dsc e5351d821f461f64af58e89f260ad8943b0ab75f26c1a845300a91f22a711600 1665244 netty_4.1.48.orig.tar.xz ec72fd97859516bf7508aa93d7704c5729d9a927c95c983a8e7f0e15220ed228 33004 netty_4.1.48-4+deb11u1.debian.tar.xz 2b5cb8d00143ab0a2946f2cb6ae5d7cb6fad3b424507d742079c03be71e75f28 14818 netty_4.1.48-4+deb11u1_amd64.buildinfo Closes: 1001437 1014769 1027180 Changes: netty (1:4.1.48-4+deb11u1) bullseye-security; urgency=high . * Team upload. * Fix CVE-2021-37136, CVE-2021-37137, CVE-2021-43797, CVE-2022-41881, and CVE-2022-41915. Several out-of-memory, stack overflow or HTTP request smuggling vulnerabilities have been discovered in Netty which may allow attackers to cause a denial of service or bypass restrictions when used as a proxy. (Closes: #1027180, #1014769, #1001437) Files: 61b21ae0b382ebc85d4b8a8e773972cc 2622 java optional netty_4.1.48-4+deb11u1.dsc ebc25581b3e2b6e1bb47200ba260a636 1665244 java optional netty_4.1.48.orig.tar.xz 4cfe6ef845de3b737f62a77fda3bb625 33004 java optional netty_4.1.48-4+deb11u1.debian.tar.xz 68ee933cf784189c4b5d18fecbd62268 14818 java optional netty_4.1.48-4+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmO/FUtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkNiQP/1H2TX19XlWtUkSMeOhVPJ35dRf2s4HADn3a O/UnYsql2m88cyqAb7vjZKdRG1K/aP2zFH6P3erv9IScUc4YjWQNwV7z6tJX4Ruo r5AFoVDfDhWxkdJK296/k7/iskLnevK/PPykR3U8iYP4CGC5VXWSpe3NMQ13Utjv eLoLx6JRf5UzRg2FyB7Eezn88GL/Tnt6OmuNnF6s+37HfszWoNJqCORgQ4bBlPNK TvNCj+RIMxBgnmKpbk2Dl9PEXI7O3RT4LjubNbf4YVrT9cO6DU+wflntfAeLNKLu Q2CXt9YJgk5EBO0FMGph0bHrnibYVufo/4aBLm7j2oQaVWgSmMbiq7Mu3luXuVZO 0XOldF9FCQQsyI1XD3yyGBNLGSDGSeN/hmnAAf5lafjL2U7Gkt1fcSC8GJ1+nJBX 6p+zqGwoQIg4mUn9D1bKx/YfFv20zlsyHP1foCr2AivPDlnMRgWyTUACO5N5ER6y guJA8bEq7es+4m1nHVB5fu6BsgLggHC5TcxY6Tq/IN6YoXfc08J1zXPO0mJp9bGB +iEJs/gymorNR77e/lBH8aHHiJSHQzZT034VREL5qbtPeGdAD2VTeuJSZ0KdfGeo VwTR4YqGhoH2pE+QOENApm5G5HEoJsHlcFwigqhk5WzK4z+zA3RZSqp/g786sIGy D4N8qlTg =3XdI -----END PGP SIGNATURE-----
--- End Message ---
