Bug#1027180: netty: CVE-2022-41915 CVE-2022-41881
Moritz Mühlenhoff
jmm at inutil.org
Wed Dec 28 22:48:23 GMT 2022
Source: netty
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for netty.
CVE-2022-41915[0]:
| Netty project is an event-driven asynchronous network application
| framework. In versions prior to 4.1.86.Final, when calling
| `DefaultHttpHeadesr.set` with an _iterator_ of values, header value
| validation was not performed, allowing malicious header values in the
| iterator to perform HTTP Response Splitting. This issue has been
| patched in version 4.1.86.Final. Integrators can work around the issue
| by changing the `DefaultHttpHeaders.set(CharSequence,
| Iterator<?>)` call, into a `remove()` call, and call `add()` in
| a loop over the iterator of values.
https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp
CVE-2022-41881[1]:
| Netty project is an event-driven asynchronous network application
| framework. In versions prior to 4.1.86.Final, a StackOverflowError can
| be raised when parsing a malformed crafted message due to an infinite
| recursion. This issue is patched in version 4.1.86.Final. There is no
| workaround, except using a custom HaProxyMessageDecoder.
https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-41915
https://www.cve.org/CVERecord?id=CVE-2022-41915
[1] https://security-tracker.debian.org/tracker/CVE-2022-41881
https://www.cve.org/CVERecord?id=CVE-2022-41881
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list