Source: netty X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerabilities were published for netty. CVE-2022-41915[0]: | Netty project is an event-driven asynchronous network application | framework. In versions prior to 4.1.86.Final, when calling | `DefaultHttpHeadesr.set` with an _iterator_ of values, header value | validation was not performed, allowing malicious header values in the | iterator to perform HTTP Response Splitting. This issue has been | patched in version 4.1.86.Final. Integrators can work around the issue | by changing the `DefaultHttpHeaders.set(CharSequence, | Iterator<?>)` call, into a `remove()` call, and call `add()` in | a loop over the iterator of values. https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp CVE-2022-41881[1]: | Netty project is an event-driven asynchronous network application | framework. In versions prior to 4.1.86.Final, a StackOverflowError can | be raised when parsing a malformed crafted message due to an infinite | recursion. This issue is patched in version 4.1.86.Final. There is no | workaround, except using a custom HaProxyMessageDecoder. https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-41915 https://www.cve.org/CVERecord?id=CVE-2022-41915 [1] https://security-tracker.debian.org/tracker/CVE-2022-41881 https://www.cve.org/CVERecord?id=CVE-2022-41881 Please adjust the affected versions in the BTS as needed. __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
