Your message dated Sun, 12 May 2024 20:36:47 +0000
with message-id <e1s6fw7-000ypx...@fasolo.debian.org>
and subject line Bug#1068110: fixed in netty 1:4.1.48-10
has caused the Debian Bug report #1068110,
regarding netty: CVE-2024-29025
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1068110: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068110
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: netty
Version: 1:4.1.48-9
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for netty.
CVE-2024-29025[0]:
| Netty is an asynchronous event-driven network application framework
| for rapid development of maintainable high performance protocol
| servers & clients. The `HttpPostRequestDecoder` can be tricked to
| accumulate data. While the decoder can store items on the disk if
| configured so, there are no limits to the number of fields the form
| can have, an attacher can send a chunked post consisting of many
| small fields that will be accumulated in the `bodyListHttpData`
| list. The decoder cumulates bytes in the `undecodedChunk` buffer
| until it can decode a field, this field can cumulate data without
| limits. This vulnerability is fixed in 4.1.108.Final.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-29025
https://www.cve.org/CVERecord?id=CVE-2024-29025
[1] https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
[2]
https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: netty
Source-Version: 1:4.1.48-10
Done: Markus Koschany <a...@debian.org>
We believe that the bug you reported is fixed in the latest version of
netty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1068...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated netty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 12 May 2024 21:20:10 +0200
Source: netty
Architecture: source
Version: 1:4.1.48-10
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Closes: 1068110
Changes:
netty (1:4.1.48-10) unstable; urgency=high
.
* Team upload.
* Fix CVE-2024-29025:
Julien Viet discovered that Netty, a Java NIO client/server socket
framework, was vulnerable to allocation of resources without limits or
throttling due to the accumulation of data in the HttpPostRequestDecoder.
This would allow an attacker to cause a denial of service.
Thanks to Salvatore Bonaccorso for the report. (Closes: #1068110)
Checksums-Sha1:
93f3861280d96cf0d92fbb7b00b7c4022ad0a46e 2573 netty_4.1.48-10.dsc
e146316f0e3aef11e1e2e31e12332f63257ce280 43116 netty_4.1.48-10.debian.tar.xz
2c13c8f43e404a0867bcf6405ff8c64eee33e8c4 16247 netty_4.1.48-10_amd64.buildinfo
Checksums-Sha256:
20405785f7dbf3dfa6acab842843fd11325d070fe7933a31f3c1a5df1b262667 2573
netty_4.1.48-10.dsc
6db4654cec7819c9584f1aff7a4ba2c3712d20ab6eb8b515695bc5ef6af55b94 43116
netty_4.1.48-10.debian.tar.xz
3e414bf6b72cba2a90ef9cce9e976b79289f394fb86e176cb835d17ea3c167a0 16247
netty_4.1.48-10_amd64.buildinfo
Files:
1bbc65fecdf4a69526ff1e14a7f8248f 2573 java optional netty_4.1.48-10.dsc
e2a38b6bd08265c01a0d610fd497f0bb 43116 java optional
netty_4.1.48-10.debian.tar.xz
44689d3be473f8cea3c1f7567d3115ee 16247 java optional
netty_4.1.48-10_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmZBIdhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkB3sQAMzmQwEjy1m+UguK4FtdCgulhpbqA8FdKhEj
7hykv9dmSN0xh6NYae04cqB7TwMymBUNNRKWe37pKnYt0e3Wq30xfMwa4tQ85ucd
KICsesKllcfhY6CPfwaRcyU+qpB/4iin1OsAp6y06sPH0oVFJJd+AEuwTUeBg8Yj
mrkOOdZnx2XpRC79ugHArNPLybWFpe21w12bHyrIDpD6/d9R4NYN/ogqQak2+Or2
AGs6QC26kAEVadpZ2/4p3mTiggSh9uCAhx59ail7RS+oVA7bIT+b5DOlh0MPSCmw
LgA9gV0iWUvFPeTRNeKeMTK7boNDhc/p5DxG22CngLpIiFh3s57s49JE7rFJQa4e
8m8X5sLZuEzJ7fqIfEIPdsJ4oPMqqovsZAg+eIk8GWf3r8GVb3CKdOiIBz/OExLe
q80dc12JB39Rz3ai9WOXXef13SEIGBNDesu2Y4WkuxOBhlYd8jGfAMp3529dYV0U
UmRZNiCk6/IqYeHQlckSlsaQ90LhTVcRTl9/9xzCp4IcyDS5Y3Wn4hxauHOWvB+D
sEcb1FG6aBakmAbMvulMGBckP5gB5rUjEXNVikdALLcGisLZgKi9yTFaF44YY6S6
VIOlMnZ6JF1CFbPzs9Yq5rCRwYKoTT+ufmdtlS0YT/j9M7i2rCMwMDjlu9xwehRe
8Vj5SUcg
=fjYC
-----END PGP SIGNATURE-----
pgpp5fiV9i7xH.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.
