netty - Debian Package Tracker

general

source: netty (main)
version: 1:4.1.48-4
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Kyo Lee [DMD] – Graziano Obertelli [DMD] – Chris Grzegorczyk [DMD]
arch: all
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:4.1.7-2+deb9u1
o-o-sec: 1:4.1.7-2+deb9u3
oldstable: 1:4.1.33-1+deb10u2
old-sec: 1:4.1.33-1+deb10u2
stable: 1:4.1.48-4
testing: 1:4.1.48-4
unstable: 1:4.1.48-4

versioned links

1:4.1.7-2+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.1.7-2+deb9u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.1.33-1+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.1.48-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libnetty-java (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 4.1.77 high

A new upstream version 4.1.77 is available, you should consider packaging it.

Created: 2020-06-29 Last update: 2022-05-19 22:32

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2021-37136: The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CVE-2021-37137: The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CVE-2021-43797: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

Created: 2021-10-10 Last update: 2022-05-08 06:04

3 security issues in bookworm high

There are 3 open security issues in bookworm.

3 important issues:

CVE-2021-37136: The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CVE-2021-37137: The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CVE-2021-43797: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

Created: 2021-10-10 Last update: 2022-05-08 06:04

lintian reports 24 warnings normal

Lintian reports 24 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-01-01 Last update: 2022-01-01 04:33

3 low-priority security issues in buster low

There are 3 open security issues in buster.

3 issues left for the package maintainer to handle:

CVE-2021-37136: (needs triaging) The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CVE-2021-37137: (needs triaging) The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CVE-2021-43797: (needs triaging) Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-10-10 Last update: 2022-05-08 06:04

3 low-priority security issues in bullseye low

There are 3 open security issues in bullseye.

3 issues left for the package maintainer to handle:

CVE-2021-37136: (needs triaging) The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CVE-2021-37137: (needs triaging) The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CVE-2021-43797: (needs triaging) Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-10-10 Last update: 2022-05-08 06:04

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.5.1).

Created: 2021-08-18 Last update: 2022-05-11 23:24

news

[rss feed]

[2021-04-13] Accepted netty 1:4.1.33-1+deb10u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2021-04-10] netty 1:4.1.48-4 MIGRATED to testing (Debian testing watch)
[2021-04-05] Accepted netty 1:4.1.33-1+deb10u2 (source) into stable->embargoed, stable (Debian FTP Masters) (signed by: Markus Koschany)
[2021-04-01] Accepted netty 1:4.1.48-4 (source) into unstable (tony mancill)
[2021-03-26] Accepted netty 1:4.1.48-3 (source) into unstable (Markus Koschany)
[2021-02-17] netty 1:4.1.48-2 MIGRATED to testing (Debian testing watch)
[2021-02-14] Accepted netty 1:4.1.48-2 (source) into unstable (Markus Koschany)
[2021-02-11] Accepted netty 1:4.1.7-2+deb9u3 (source all) into oldstable (Chris Lamb)
[2020-09-04] Accepted netty 1:4.1.7-2+deb9u2 (source) into oldstable (Roberto C. Sanchez)
[2020-04-11] netty 1:4.1.48-1 MIGRATED to testing (Debian testing watch)
[2020-04-05] Accepted netty 1:4.1.48-1 (source) into unstable (Emmanuel Bourg)
[2020-03-26] netty 1:4.1.45-2 MIGRATED to testing (Debian testing watch)
[2020-03-21] Accepted netty 1:4.1.45-2 (source) into unstable (Sudip Mukherjee) (signed by: tony mancill)
[2020-03-01] netty 1:4.1.45-1 MIGRATED to testing (Debian testing watch)
[2020-02-24] Accepted netty 1:4.1.45-1 (source) into unstable (Emmanuel Bourg)
[2020-02-19] Accepted netty 1:3.2.6.Final-2+deb8u2 (source all) into oldoldstable (Sylvain Beucler)
[2020-01-14] netty 1:4.1.33-3 MIGRATED to testing (Debian testing watch)
[2020-01-09] Accepted netty 1:4.1.33-3 (source) into unstable (tony mancill)
[2020-01-08] Accepted netty 1:4.1.7-2+deb9u1 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Salvatore Bonaccorso)
[2020-01-06] Accepted netty 1:4.1.33-1+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2020-01-05] netty 1:4.1.33-2 MIGRATED to testing (Debian testing watch)
[2020-01-03] Accepted netty 1:4.1.33-1+deb10u1 (source) into stable->embargoed, stable (Salvatore Bonaccorso)
[2020-01-03] Accepted netty 1:4.1.7-2+deb9u1 (source) into oldstable->embargoed, oldstable (Salvatore Bonaccorso)
[2020-01-03] Accepted netty 1:4.1.33-2 (source) into unstable (Salvatore Bonaccorso) (signed by: tony mancill)
[2019-09-30] Accepted netty 1:3.2.6.Final-2+deb8u1 (source all) into oldoldstable (Mike Gabriel)
[2019-01-27] netty 1:4.1.33-1 MIGRATED to testing (Debian testing watch)
[2019-01-22] Accepted netty 1:4.1.33-1 (source) into unstable (Emmanuel Bourg)
[2018-09-10] netty 1:4.1.29-1 MIGRATED to testing (Debian testing watch)
[2018-09-04] Accepted netty 1:4.1.29-1 (source) into unstable (Emmanuel Bourg)
[2017-08-06] netty 1:4.1.7-4 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 4
RC: 0
I&N: 4
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 24)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:4.1.48-4