Security update for netty, netty-tcnative

Announcement ID: SUSE-SU-2023:2096-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2022-24823 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2022-24823 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2022-41881 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2022-41881 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2022-41915 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2022-41915 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected Products:
  • Development Tools Module 15-SP4
  • openSUSE Leap 15.4
  • SUSE Enterprise Storage 7
  • SUSE Enterprise Storage 7.1
  • SUSE Linux Enterprise Desktop 15 SP4
  • SUSE Linux Enterprise High Performance Computing 15 SP2
  • SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  • SUSE Linux Enterprise High Performance Computing 15 SP3
  • SUSE Linux Enterprise High Performance Computing 15 SP4
  • SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  • SUSE Linux Enterprise Real Time 15 SP3
  • SUSE Linux Enterprise Real Time 15 SP4
  • SUSE Linux Enterprise Server 15 SP2
  • SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  • SUSE Linux Enterprise Server 15 SP3
  • SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
  • SUSE Linux Enterprise Server 15 SP4
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3
  • SUSE Linux Enterprise Server for SAP Applications 15 SP4
  • SUSE Manager Proxy 4.3
  • SUSE Manager Retail Branch Server 4.3
  • SUSE Manager Server 4.3

An update that solves three vulnerabilities and contains one feature can now be installed.

Description:

This update for netty, netty-tcnative fixes the following issues:

netty:

  • Security fixes included in this version update from 4.1.75 to 4.1.90:
  • CVE-2022-24823: Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files for Java 6 and lower in io.netty:netty-codec-http (bsc#1199338)
  • CVE-2022-41881: HAProxyMessageDecoder Stack Exhaustion DoS (bsc#1206360)
  • CVE-2022-41915: HTTP Response splitting from assigning header value iterator (bsc#1206379)

  • Other non-security bug fixes included in this version update from 4.1.75 to 4.1.90:

  • Build with Java 11 on ix86 architecture in order to avoid build failures
  • Fix HttpHeaders.names for non-String headers
  • Fix FlowControlHandler behaviour to pass read events when auto-reading is turned off
  • Fix brotli compression
  • Fix a bug in FlowControlHandler that broke auto-read
  • Fix a potential memory leak bug has been in the pooled allocator
  • Fix a scalability issue caused by instanceof and check-cast checks that lead to false-sharing on the Klass::secondary_super_cache field in the JVM
  • Fix a bug in our PEMParser when PEM files have multiple objects, and BouncyCastle is on the classpath
  • Fix several NullPointerException bugs
  • Fix a regression SslContext private key loading
  • Fix a bug in SslContext private key reading fall-back path
  • Fix a buffer leak regression in HttpClientCodec
  • Fix a bug where some HttpMessage implementations, that also implement HttpContent, were not handled correctly
  • Fix epoll bug when receiving zero-sized datagrams
  • Fix a bug in SslHandler so handlerRemoved works properly even if handlerAdded throws an exception
  • Fix an issue that allowed the multicast methods on EpollDatagramChannel to be called outside of an event-loop thread
  • Fix a bug where an OPT record was added to DNS queries that already had such a record
  • Fix a bug that caused an error when files uploaded with HTTP POST contained a backslash in their name
  • Fix an issue in the BlockHound integration that could occasionally cause NetUtil to be reported as performing blocking operation. A similar BlockHound issue was fixed for the JdkSslContext
  • Fix a bug that prevented preface or settings frames from being flushed, when an HTTP2 connection was established with prior-knowledge
  • Fix a bug where Netty fails to load a shaded native library
  • Fix and relax overly strict HTTP/2 header validation check that was rejecting requests from Chrome and Firefox
  • Fix OpenSSL and BoringSSL implementations to respect the jdk.tls.client.protocols and jdk.tls.server.protocols system properties, making them react to these in the same way the JDK SSL provider does
  • Fix inconsitencies in how epoll, kqueue, and NIO handle RDHUP
  • For a more detailed list of changes please consult the official release notes:
    • Changes from 4.1.90: https://netty.io/news/2023/03/14/4-1-90-Final.html
    • Changes from 4.1.89: https://netty.io/news/2023/02/13/4-1-89-Final.html
    • Changes from 4.1.88: https://netty.io/news/2023/02/12/4-1-88-Final.html
    • Changes from 4.1.87: https://netty.io/news/2023/01/12/4-1-87-Final.html
    • Changes from 4.1.86: https://netty.io/news/2022/12/12/4-1-86-Final.html
    • Changes from 4.1.85: https://netty.io/news/2022/11/09/4-1-85-Final.html
    • Changes from 4.1.84: https://netty.io/news/2022/10/11/4-1-84-Final.html
    • Changes from 4.1.82: https://netty.io/news/2022/09/13/4-1-82-Final.html
    • Changes from 4.1.81: https://netty.io/news/2022/09/08/4-1-81-Final.html
    • Changes from 4.1.80: https://netty.io/news/2022/08/26/4-1-80-Final.html
    • Changes from 4.1.79: https://netty.io/news/2022/07/11/4-1-79-Final.html
    • Changes from 4.1.78: https://netty.io/news/2022/06/14/4-1-78-Final.html
    • Changes from 4.1.77: https://netty.io/news/2022/05/06/2-1-77-Final.html
    • Changes from 4.1.76: https://netty.io/news/2022/04/12/4-1-76-Final.html

netty-tcnative:

  • New artifact named netty-tcnative-classes, provided by this update is required by netty 4.1.90 which contains important security updates
  • No formal changelog present. This artifact is closely bound to the netty releases

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.4
    zypper in -t patch openSUSE-SLE-15.4-2023-2096=1
  • Development Tools Module 15-SP4
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2023-2096=1
  • SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-2096=1
  • SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-2096=1
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-2096=1
  • SUSE Linux Enterprise Real Time 15 SP3
    zypper in -t patch SUSE-SLE-Product-RT-15-SP3-2023-2096=1
  • SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-2096=1
  • SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-2096=1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-2096=1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-2096=1
  • SUSE Enterprise Storage 7.1
    zypper in -t patch SUSE-Storage-7.1-2023-2096=1
  • SUSE Enterprise Storage 7
    zypper in -t patch SUSE-Storage-7-2023-2096=1

Package List:

  • openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
    • netty-4.1.90-150200.4.14.1
    • netty-tcnative-2.0.59-150200.3.10.1
  • openSUSE Leap 15.4 (noarch)
    • netty-javadoc-4.1.90-150200.4.14.1
    • netty-poms-4.1.90-150200.4.14.1
    • netty-tcnative-javadoc-2.0.59-150200.3.10.1
  • Development Tools Module 15-SP4 (aarch64 ppc64le s390x x86_64)
    • netty-tcnative-2.0.59-150200.3.10.1
  • SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64)
    • netty-tcnative-2.0.59-150200.3.10.1
  • SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64 x86_64)
    • netty-tcnative-2.0.59-150200.3.10.1
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64)
    • netty-tcnative-2.0.59-150200.3.10.1
  • SUSE Linux Enterprise Real Time 15 SP3 (x86_64)
    • netty-tcnative-2.0.59-150200.3.10.1
  • SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64)
    • netty-tcnative-2.0.59-150200.3.10.1
  • SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64)
    • netty-tcnative-2.0.59-150200.3.10.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
    • netty-tcnative-2.0.59-150200.3.10.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
    • netty-tcnative-2.0.59-150200.3.10.1
  • SUSE Enterprise Storage 7.1 (aarch64 x86_64)
    • netty-tcnative-2.0.59-150200.3.10.1
  • SUSE Enterprise Storage 7 (aarch64 x86_64)
    • netty-tcnative-2.0.59-150200.3.10.1

References: