An update for netty is now available for openEuler-20.03-LTS-SP1
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2021-1143
Final
1.0
1.0
2021-04-07
Initial
2021-04-07
2021-04-07
openEuler SA Tool V1.0
2021-04-07
netty security update
An update for netty is now available for openEuler-20.03-LTS-SP1.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.
Security Fix(es):
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.(CVE-2021-21290)
An update for netty is now available for openEuler-20.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Medium
netty
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1143
https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-21290
https://nvd.nist.gov/vuln/detail/CVE-2021-21290
openEuler-20.03-LTS-SP1
netty-4.1.13-10.oe1.aarch64.rpm
netty-help-4.1.13-10.oe1.noarch.rpm
netty-4.1.13-10.oe1.src.rpm
netty-4.1.13-10.oe1.x86_64.rpm
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
2021-04-07
CVE-2021-21290
openEuler-20.03-LTS-SP1
Medium
5.5
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
netty security update
2021-04-07
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1143