On Wed, 19 Aug 2015 16:59:58 +0200 Moritz Muehlenhoff <j...@debian.org> wrote:
> This was assigned CVE-2015-2156: > http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html I got a look at this issue, the packages depending on libnetty-java in squeeze/wheezy/jessie do not use the CookieDecoder and aren't affected by this vulnerability. The only package using the CookieDecoder class is elasticsearch, but it depends on libnetty-3.9-java. So this package will have to be updated in Jessie. > Please phase out src:netty towards the updated src:netty-3.9 so that > there's only one version around. libnetty-java is going to be updated to the version 4.x. We have to keep two versions of this library because the APIs aren't compatible. The 3.x line is still maintained upstream, so that should be fine for now. Emmanuel Bourg
