SUSE-SU-2023:2096-2

Source
https://www.suse.com/support/update/announcement/2023/suse-su-20232096-2/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2023:2096-2.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2023:2096-2
Related
Published
2023-06-21T10:37:18Z
Modified
2023-06-21T10:37:18Z
Summary
Security update for netty, netty-tcnative
Details

This update for netty, netty-tcnative fixes the following issues:

netty:

  • Security fixes included in this version update from 4.1.75 to 4.1.90:

    • CVE-2022-24823: Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files for Java 6 and lower in io.netty:netty-codec-http (bsc#1199338)
    • CVE-2022-41881: HAProxyMessageDecoder Stack Exhaustion DoS (bsc#1206360)
    • CVE-2022-41915: HTTP Response splitting from assigning header value iterator (bsc#1206379)
  • Other non-security bug fixes included in this version update from 4.1.75 to 4.1.90:

    • Build with Java 11 on ix86 architecture in order to avoid build failures
    • Fix HttpHeaders.names for non-String headers
    • Fix FlowControlHandler behaviour to pass read events when auto-reading is turned off
    • Fix brotli compression
    • Fix a bug in FlowControlHandler that broke auto-read
    • Fix a potential memory leak bug has been in the pooled allocator
    • Fix a scalability issue caused by instanceof and check-cast checks that lead to false-sharing on the Klass::secondary_super_cache field in the JVM
    • Fix a bug in our PEMParser when PEM files have multiple objects, and BouncyCastle is on the classpath
    • Fix several NullPointerException bugs
    • Fix a regression SslContext private key loading
    • Fix a bug in SslContext private key reading fall-back path
    • Fix a buffer leak regression in HttpClientCodec
    • Fix a bug where some HttpMessage implementations, that also implement HttpContent, were not handled correctly
    • Fix epoll bug when receiving zero-sized datagrams
    • Fix a bug in SslHandler so handlerRemoved works properly even if handlerAdded throws an exception
    • Fix an issue that allowed the multicast methods on EpollDatagramChannel to be called outside of an event-loop thread
    • Fix a bug where an OPT record was added to DNS queries that already had such a record
    • Fix a bug that caused an error when files uploaded with HTTP POST contained a backslash in their name
    • Fix an issue in the BlockHound integration that could occasionally cause NetUtil to be reported as performing blocking operation. A similar BlockHound issue was fixed for the JdkSslContext
    • Fix a bug that prevented preface or settings frames from being flushed, when an HTTP2 connection was established with prior-knowledge
    • Fix a bug where Netty fails to load a shaded native library
    • Fix and relax overly strict HTTP/2 header validation check that was rejecting requests from Chrome and Firefox
    • Fix OpenSSL and BoringSSL implementations to respect the jdk.tls.client.protocols and jdk.tls.server.protocols system properties, making them react to these in the same way the JDK SSL provider does
    • Fix inconsitencies in how epoll, kqueue, and NIO handle RDHUP
    • For a more detailed list of changes please consult the official release notes:
      • Changes from 4.1.90: https://netty.io/news/2023/03/14/4-1-90-Final.html
      • Changes from 4.1.89: https://netty.io/news/2023/02/13/4-1-89-Final.html
      • Changes from 4.1.88: https://netty.io/news/2023/02/12/4-1-88-Final.html
      • Changes from 4.1.87: https://netty.io/news/2023/01/12/4-1-87-Final.html
      • Changes from 4.1.86: https://netty.io/news/2022/12/12/4-1-86-Final.html
      • Changes from 4.1.85: https://netty.io/news/2022/11/09/4-1-85-Final.html
      • Changes from 4.1.84: https://netty.io/news/2022/10/11/4-1-84-Final.html
      • Changes from 4.1.82: https://netty.io/news/2022/09/13/4-1-82-Final.html
      • Changes from 4.1.81: https://netty.io/news/2022/09/08/4-1-81-Final.html
      • Changes from 4.1.80: https://netty.io/news/2022/08/26/4-1-80-Final.html
      • Changes from 4.1.79: https://netty.io/news/2022/07/11/4-1-79-Final.html
      • Changes from 4.1.78: https://netty.io/news/2022/06/14/4-1-78-Final.html
      • Changes from 4.1.77: https://netty.io/news/2022/05/06/2-1-77-Final.html
      • Changes from 4.1.76: https://netty.io/news/2022/04/12/4-1-76-Final.html

netty-tcnative:

  • New artifact named netty-tcnative-classes, provided by this update is required by netty 4.1.90 which contains important security updates
  • No formal changelog present. This artifact is closely bound to the netty releases
References

Affected packages

SUSE:Linux Enterprise Module for Development Tools 15 SP5 / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.59-150200.3.10.1

Ecosystem specific

{
    "binaries": [
        {
            "netty-tcnative": "2.0.59-150200.3.10.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Package Hub 15 SP5 / netty

Package

Name
netty
Purl
pkg:rpm/suse/netty&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.90-150200.4.14.1

Ecosystem specific

{
    "binaries": [
        {
            "netty": "4.1.90-150200.4.14.1",
            "netty-javadoc": "4.1.90-150200.4.14.1",
            "netty-poms": "4.1.90-150200.4.14.1"
        }
    ]
}

openSUSE:Leap 15.5 / netty

Package

Name
netty
Purl
pkg:rpm/opensuse/netty&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.90-150200.4.14.1

Ecosystem specific

{
    "binaries": [
        {
            "netty": "4.1.90-150200.4.14.1",
            "netty-tcnative": "2.0.59-150200.3.10.1",
            "netty-javadoc": "4.1.90-150200.4.14.1",
            "netty-poms": "4.1.90-150200.4.14.1",
            "netty-tcnative-javadoc": "2.0.59-150200.3.10.1"
        }
    ]
}

openSUSE:Leap 15.5 / netty-tcnative

Package

Name
netty-tcnative
Purl
pkg:rpm/opensuse/netty-tcnative&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.59-150200.3.10.1

Ecosystem specific

{
    "binaries": [
        {
            "netty": "4.1.90-150200.4.14.1",
            "netty-tcnative": "2.0.59-150200.3.10.1",
            "netty-javadoc": "4.1.90-150200.4.14.1",
            "netty-poms": "4.1.90-150200.4.14.1",
            "netty-tcnative-javadoc": "2.0.59-150200.3.10.1"
        }
    ]
}