An update for netty is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2021-1423
Final
1.0
1.0
2021-11-05
Initial
2021-11-05
2021-11-05
openEuler SA Tool V1.0
2021-11-05
netty security update
An update for netty is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. %package help Summary: Documents for Buildarch: noarch Requires: man info Provides: -javadoc = - Obsoletes: -javadoc < - %description help Man pages and other related documents for .
Security Fix(es):
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.(CVE-2021-37137)
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack(CVE-2021-37136)
An update for netty is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
netty
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1423
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-37137
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-37136
https://nvd.nist.gov/vuln/detail/CVE-2021-37137
https://nvd.nist.gov/vuln/detail/CVE-2021-37136
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP2
netty-4.1.13-12.oe1.aarch64.rpm
netty-4.1.13-12.oe1.aarch64.rpm
netty-help-4.1.13-12.oe1.noarch.rpm
netty-help-4.1.13-12.oe1.noarch.rpm
netty-4.1.13-12.oe1.src.rpm
netty-4.1.13-12.oe1.src.rpm
netty-4.1.13-12.oe1.x86_64.rpm
netty-4.1.13-12.oe1.x86_64.rpm
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
2021-11-05
CVE-2021-37137
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP2
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
netty security update
2021-11-05
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1423
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
2021-11-05
CVE-2021-37136
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP2
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
netty security update
2021-11-05
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1423