File _patchinfo of Package patchinfo.28292

Overview Repositories Revisions Requests Users Attributes Meta

File _patchinfo of Package patchinfo.28292

<patchinfo incident="28292">
  <issue tracker="jsc" id="SLE-23217"></issue>
  <issue tracker="bnc" id="1206360">VUL-0: CVE-2022-41881: netty: Infinte recursion in HAProxyMessageDecoder</issue>
  <issue tracker="bnc" id="1199338">VUL-0: CVE-2022-24823: netty: world readable temporary file containing sensitive data</issue>
  <issue tracker="bnc" id="1206379">VUL-0: CVE-2022-41915: netty3,netty: HTTP Response splitting from assigning header value iterator</issue>
  <issue tracker="cve" id="2022-41881"/>
  <issue tracker="cve" id="2022-41915"/>
  <issue tracker="cve" id="2022-24823"/>
  <packager>fstrba</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for netty, netty-tcnative</summary>
  <description>This update for netty, netty-tcnative fixes the following issues:

netty:

- Security fixes included in this version update from 4.1.75 to 4.1.90:
  * CVE-2022-24823: Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files for
    Java 6 and lower in io.netty:netty-codec-http (bsc#1199338)
  * CVE-2022-41881: HAProxyMessageDecoder Stack Exhaustion DoS (bsc#1206360)
  * CVE-2022-41915: HTTP Response splitting from assigning header value iterator (bsc#1206379)
    
- Other non-security bug fixes included in this version update from 4.1.75 to 4.1.90:
  * Build with Java 11 on ix86 architecture in order to avoid build failures 
  * Fix `HttpHeaders.names` for non-String headers
  * Fix `FlowControlHandler` behaviour to pass read events when auto-reading is turned off
  * Fix brotli compression
  * Fix a bug in FlowControlHandler that broke auto-read
  * Fix a potential memory leak bug has been in the pooled allocator
  * Fix a scalability issue caused by instanceof and check-cast checks that lead to false-sharing on the 
    `Klass::secondary_super_cache` field in the JVM
  * Fix a bug in our `PEMParser` when PEM files have multiple objects, and `BouncyCastle` is on the classpath
  * Fix several `NullPointerException` bugs
  * Fix a regression `SslContext` private key loading
  * Fix a bug in `SslContext` private key reading fall-back path
  * Fix a buffer leak regression in `HttpClientCodec`
  * Fix a bug where some `HttpMessage` implementations, that also implement `HttpContent`, were not handled correctly
  * Fix epoll bug when receiving zero-sized datagrams
  * Fix a bug in `SslHandler` so `handlerRemoved` works properly even if `handlerAdded` throws an exception
  * Fix an issue that allowed the multicast methods on `EpollDatagramChannel` to be called outside of an event-loop 
    thread
  * Fix a bug where an OPT record was added to DNS queries that already had such a record
  * Fix a bug that caused an error when files uploaded with HTTP POST contained a backslash in their name
  * Fix an issue in the `BlockHound` integration that could occasionally cause NetUtil to be reported as performing
    blocking operation. A similar `BlockHound` issue was fixed for the `JdkSslContext`
  * Fix a bug that prevented preface or settings frames from being flushed, when an HTTP2 connection was established
    with prior-knowledge
  * Fix a bug where Netty fails to load a shaded native library
  * Fix and relax overly strict HTTP/2 header validation check that was rejecting requests from Chrome and Firefox
  * Fix OpenSSL and BoringSSL implementations to respect the `jdk.tls.client.protocols` and `jdk.tls.server.protocols`
    system properties, making them react to these in the same way the JDK SSL provider does
  * Fix inconsitencies in how `epoll`, `kqueue`, and `NIO` handle RDHUP
  * For a more detailed list of changes please consult the official release notes:
    +  Changes from 4.1.90: https://netty.io/news/2023/03/14/4-1-90-Final.html
    +  Changes from 4.1.89: https://netty.io/news/2023/02/13/4-1-89-Final.html
    +  Changes from 4.1.88: https://netty.io/news/2023/02/12/4-1-88-Final.html
    +  Changes from 4.1.87: https://netty.io/news/2023/01/12/4-1-87-Final.html
    +  Changes from 4.1.86: https://netty.io/news/2022/12/12/4-1-86-Final.html
    +  Changes from 4.1.85: https://netty.io/news/2022/11/09/4-1-85-Final.html
    +  Changes from 4.1.84: https://netty.io/news/2022/10/11/4-1-84-Final.html
    +  Changes from 4.1.82: https://netty.io/news/2022/09/13/4-1-82-Final.html
    +  Changes from 4.1.81: https://netty.io/news/2022/09/08/4-1-81-Final.html
    +  Changes from 4.1.80: https://netty.io/news/2022/08/26/4-1-80-Final.html
    +  Changes from 4.1.79: https://netty.io/news/2022/07/11/4-1-79-Final.html
    +  Changes from 4.1.78: https://netty.io/news/2022/06/14/4-1-78-Final.html
    +  Changes from 4.1.77: https://netty.io/news/2022/05/06/2-1-77-Final.html
    +  Changes from 4.1.76: https://netty.io/news/2022/04/12/4-1-76-Final.html

netty-tcnative:
    
- New artifact named `netty-tcnative-classes`, provided by this update is required by netty 4.1.90 which contains 
  important security updates
- No formal changelog present. This artifact is closely bound to the netty releases
</description>
</patchinfo>

Places

File _patchinfo of Package patchinfo.28292

Places