Source: netty X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for netty. CVE-2021-37136[0]: | The Bzip2 decompression decoder function doesn't allow setting size | restrictions on the decompressed output data (which affects the | allocation size used during decompression). All users of Bzip2Decoder | are affected. The malicious input can trigger an OOME and so a DoS | attack https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv Fixed by: https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020 (netty-4.1.68.Final) CVE-2021-37137[1]: | The Snappy frame decoder function doesn't restrict the chunk length | which may lead to excessive memory usage. Beside this it also may | buffer reserved skippable chunks until the whole chunk was received | which may lead to excessive memory usage as well. This vulnerability | can be triggered by supplying malicious input that decompresses to a | very big size (via a network stream or a file) or by sending a huge | skippable chunk. https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363 Fixed by: https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f (netty-4.1.68.Final) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-37136 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37136 [1] https://security-tracker.debian.org/tracker/CVE-2021-37137 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37137 Please adjust the affected versions in the BTS as needed.
