|
|
Subscribe / Log in / New account

SUSE alert SUSE-SU-2023:2096-2 (netty, netty-tcnative)



From:
              sle-security-updates@lists.suse.com


To:
              sle-security-updates@lists.suse.com


Subject:
              SUSE-SU-2023:2096-2: important: Security update for netty, netty-tcnative


Date:
              Wed, 21 Jun 2023 12:31:48 -0000


Message-ID:
              <168735070814.19377.11014212029653757448@smelt2.suse.de>




# Security update for netty, netty-tcnative

Announcement ID: SUSE-SU-2023:2096-2  
Rating: important  
References:

  * #1199338
  * #1206360
  * #1206379

  
Cross-References:

  * CVE-2022-24823
  * CVE-2022-41881
  * CVE-2022-41915

  
CVSS scores:

  * CVE-2022-24823 ( SUSE ):  6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  * CVE-2022-24823 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  * CVE-2022-41881 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2022-41881 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2022-41915 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  * CVE-2022-41915 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

  
Affected Products:

  * Development Tools Module 15-SP5
  * openSUSE Leap 15.5
  * SUSE Linux Enterprise Desktop 15 SP5
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise Real Time 15 SP5
  * SUSE Linux Enterprise Server 15 SP5
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5
  * SUSE Package Hub 15 15-SP5

  
  
An update that solves three vulnerabilities and contains one feature can now be
installed.

## Description:

This update for netty, netty-tcnative fixes the following issues:

netty:

  * Security fixes included in this version update from 4.1.75 to 4.1.90:
  * CVE-2022-24823: Local Information Disclosure Vulnerability in Netty on Unix-
    Like systems due temporary files for Java 6 and lower in io.netty:netty-
    codec-http (bsc#1199338)
  * CVE-2022-41881: HAProxyMessageDecoder Stack Exhaustion DoS (bsc#1206360)
  * CVE-2022-41915: HTTP Response splitting from assigning header value iterator
    (bsc#1206379)

  * Other non-security bug fixes included in this version update from 4.1.75 to
    4.1.90:

  * Build with Java 11 on ix86 architecture in order to avoid build failures
  * Fix `HttpHeaders.names` for non-String headers
  * Fix `FlowControlHandler` behaviour to pass read events when auto-reading is
    turned off
  * Fix brotli compression
  * Fix a bug in FlowControlHandler that broke auto-read
  * Fix a potential memory leak bug has been in the pooled allocator
  * Fix a scalability issue caused by instanceof and check-cast checks that lead
    to false-sharing on the `Klass::secondary_super_cache` field in the JVM
  * Fix a bug in our `PEMParser` when PEM files have multiple objects, and
    `BouncyCastle` is on the classpath
  * Fix several `NullPointerException` bugs
  * Fix a regression `SslContext` private key loading
  * Fix a bug in `SslContext` private key reading fall-back path
  * Fix a buffer leak regression in `HttpClientCodec`
  * Fix a bug where some `HttpMessage` implementations, that also implement
    `HttpContent`, were not handled correctly
  * Fix epoll bug when receiving zero-sized datagrams
  * Fix a bug in `SslHandler` so `handlerRemoved` works properly even if
    `handlerAdded` throws an exception
  * Fix an issue that allowed the multicast methods on `EpollDatagramChannel` to
    be called outside of an event-loop thread
  * Fix a bug where an OPT record was added to DNS queries that already had such
    a record
  * Fix a bug that caused an error when files uploaded with HTTP POST contained
    a backslash in their name
  * Fix an issue in the `BlockHound` integration that could occasionally cause
    NetUtil to be reported as performing blocking operation. A similar
    `BlockHound` issue was fixed for the `JdkSslContext`
  * Fix a bug that prevented preface or settings frames from being flushed, when
    an HTTP2 connection was established with prior-knowledge
  * Fix a bug where Netty fails to load a shaded native library
  * Fix and relax overly strict HTTP/2 header validation check that was
    rejecting requests from Chrome and Firefox
  * Fix OpenSSL and BoringSSL implementations to respect the
    `jdk.tls.client.protocols` and `jdk.tls.server.protocols` system properties,
    making them react to these in the same way the JDK SSL provider does
  * Fix inconsitencies in how `epoll`, `kqueue`, and `NIO` handle RDHUP
  * For a more detailed list of changes please consult the official release
    notes:
    * Changes from 4.1.90: https://netty.io/news/2023/03/14/4-1-90-Final.html
    * Changes from 4.1.89: https://netty.io/news/2023/02/13/4-1-89-Final.html
    * Changes from 4.1.88: https://netty.io/news/2023/02/12/4-1-88-Final.html
    * Changes from 4.1.87: https://netty.io/news/2023/01/12/4-1-87-Final.html
    * Changes from 4.1.86: https://netty.io/news/2022/12/12/4-1-86-Final.html
    * Changes from 4.1.85: https://netty.io/news/2022/11/09/4-1-85-Final.html
    * Changes from 4.1.84: https://netty.io/news/2022/10/11/4-1-84-Final.html
    * Changes from 4.1.82: https://netty.io/news/2022/09/13/4-1-82-Final.html
    * Changes from 4.1.81: https://netty.io/news/2022/09/08/4-1-81-Final.html
    * Changes from 4.1.80: https://netty.io/news/2022/08/26/4-1-80-Final.html
    * Changes from 4.1.79: https://netty.io/news/2022/07/11/4-1-79-Final.html
    * Changes from 4.1.78: https://netty.io/news/2022/06/14/4-1-78-Final.html
    * Changes from 4.1.77: https://netty.io/news/2022/05/06/2-1-77-Final.html
    * Changes from 4.1.76: https://netty.io/news/2022/04/12/4-1-76-Final.html

netty-tcnative:

  * New artifact named `netty-tcnative-classes`, provided by this update is
    required by netty 4.1.90 which contains important security updates
  * No formal changelog present. This artifact is closely bound to the netty
    releases

## Patch Instructions:

To install this SUSE Important update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.5  
    zypper in -t patch openSUSE-SLE-15.5-2023-2096=1

  * Development Tools Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2023-2096=1

  * SUSE Package Hub 15 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-2096=1

## Package List:

  * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
    * netty-tcnative-2.0.59-150200.3.10.1
    * netty-4.1.90-150200.4.14.1
  * openSUSE Leap 15.5 (noarch)
    * netty-tcnative-javadoc-2.0.59-150200.3.10.1
    * netty-javadoc-4.1.90-150200.4.14.1
    * netty-poms-4.1.90-150200.4.14.1
  * Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64)
    * netty-tcnative-2.0.59-150200.3.10.1
  * SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
    * netty-4.1.90-150200.4.14.1
  * SUSE Package Hub 15 15-SP5 (noarch)
    * netty-javadoc-4.1.90-150200.4.14.1
    * netty-poms-4.1.90-150200.4.14.1

## References:

  * https://www.suse.com/security/cve/CVE-2022-24823.html
  * https://www.suse.com/security/cve/CVE-2022-41881.html
  * https://www.suse.com/security/cve/CVE-2022-41915.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1199338
  * https://bugzilla.suse.com/show_bug.cgi?id=1206360
  * https://bugzilla.suse.com/show_bug.cgi?id=1206379
  * https://jira.suse.com/browse/SLE-23217
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds