Security update for netty, netty-tcnative
Announcement ID: | SUSE-SU-2023:2096-2 |
---|---|
Rating: | important |
References: | |
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves three vulnerabilities and contains one feature can now be installed.
Description:
This update for netty, netty-tcnative fixes the following issues:
netty:
- Security fixes included in this version update from 4.1.75 to 4.1.90:
- CVE-2022-24823: Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files for Java 6 and lower in io.netty:netty-codec-http (bsc#1199338)
- CVE-2022-41881: HAProxyMessageDecoder Stack Exhaustion DoS (bsc#1206360)
-
CVE-2022-41915: HTTP Response splitting from assigning header value iterator (bsc#1206379)
-
Other non-security bug fixes included in this version update from 4.1.75 to 4.1.90:
- Build with Java 11 on ix86 architecture in order to avoid build failures
- Fix
HttpHeaders.names
for non-String headers - Fix
FlowControlHandler
behaviour to pass read events when auto-reading is turned off - Fix brotli compression
- Fix a bug in FlowControlHandler that broke auto-read
- Fix a potential memory leak bug has been in the pooled allocator
- Fix a scalability issue caused by instanceof and check-cast checks that lead to false-sharing on the
Klass::secondary_super_cache
field in the JVM - Fix a bug in our
PEMParser
when PEM files have multiple objects, andBouncyCastle
is on the classpath - Fix several
NullPointerException
bugs - Fix a regression
SslContext
private key loading - Fix a bug in
SslContext
private key reading fall-back path - Fix a buffer leak regression in
HttpClientCodec
- Fix a bug where some
HttpMessage
implementations, that also implementHttpContent
, were not handled correctly - Fix epoll bug when receiving zero-sized datagrams
- Fix a bug in
SslHandler
sohandlerRemoved
works properly even ifhandlerAdded
throws an exception - Fix an issue that allowed the multicast methods on
EpollDatagramChannel
to be called outside of an event-loop thread - Fix a bug where an OPT record was added to DNS queries that already had such a record
- Fix a bug that caused an error when files uploaded with HTTP POST contained a backslash in their name
- Fix an issue in the
BlockHound
integration that could occasionally cause NetUtil to be reported as performing blocking operation. A similarBlockHound
issue was fixed for theJdkSslContext
- Fix a bug that prevented preface or settings frames from being flushed, when an HTTP2 connection was established with prior-knowledge
- Fix a bug where Netty fails to load a shaded native library
- Fix and relax overly strict HTTP/2 header validation check that was rejecting requests from Chrome and Firefox
- Fix OpenSSL and BoringSSL implementations to respect the
jdk.tls.client.protocols
andjdk.tls.server.protocols
system properties, making them react to these in the same way the JDK SSL provider does - Fix inconsitencies in how
epoll
,kqueue
, andNIO
handle RDHUP - For a more detailed list of changes please consult the official release notes:
- Changes from 4.1.90: https://netty.io/news/2023/03/14/4-1-90-Final.html
- Changes from 4.1.89: https://netty.io/news/2023/02/13/4-1-89-Final.html
- Changes from 4.1.88: https://netty.io/news/2023/02/12/4-1-88-Final.html
- Changes from 4.1.87: https://netty.io/news/2023/01/12/4-1-87-Final.html
- Changes from 4.1.86: https://netty.io/news/2022/12/12/4-1-86-Final.html
- Changes from 4.1.85: https://netty.io/news/2022/11/09/4-1-85-Final.html
- Changes from 4.1.84: https://netty.io/news/2022/10/11/4-1-84-Final.html
- Changes from 4.1.82: https://netty.io/news/2022/09/13/4-1-82-Final.html
- Changes from 4.1.81: https://netty.io/news/2022/09/08/4-1-81-Final.html
- Changes from 4.1.80: https://netty.io/news/2022/08/26/4-1-80-Final.html
- Changes from 4.1.79: https://netty.io/news/2022/07/11/4-1-79-Final.html
- Changes from 4.1.78: https://netty.io/news/2022/06/14/4-1-78-Final.html
- Changes from 4.1.77: https://netty.io/news/2022/05/06/2-1-77-Final.html
- Changes from 4.1.76: https://netty.io/news/2022/04/12/4-1-76-Final.html
netty-tcnative:
- New artifact named
netty-tcnative-classes
, provided by this update is required by netty 4.1.90 which contains important security updates - No formal changelog present. This artifact is closely bound to the netty releases
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2023-2096=1
-
Development Tools Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2023-2096=1
-
SUSE Package Hub 15 15-SP5
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-2096=1
Package List:
-
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
- netty-4.1.90-150200.4.14.1
- netty-tcnative-2.0.59-150200.3.10.1
-
openSUSE Leap 15.5 (noarch)
- netty-javadoc-4.1.90-150200.4.14.1
- netty-poms-4.1.90-150200.4.14.1
- netty-tcnative-javadoc-2.0.59-150200.3.10.1
-
Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64)
- netty-tcnative-2.0.59-150200.3.10.1
-
SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
- netty-4.1.90-150200.4.14.1
-
SUSE Package Hub 15 15-SP5 (noarch)
- netty-javadoc-4.1.90-150200.4.14.1
- netty-poms-4.1.90-150200.4.14.1
References:
- https://www.suse.com/security/cve/CVE-2022-24823.html
- https://www.suse.com/security/cve/CVE-2022-41881.html
- https://www.suse.com/security/cve/CVE-2022-41915.html
- https://bugzilla.suse.com/show_bug.cgi?id=1199338
- https://bugzilla.suse.com/show_bug.cgi?id=1206360
- https://bugzilla.suse.com/show_bug.cgi?id=1206379
- https://jira.suse.com/browse/SLE-23217