Your message dated Wed, 22 Nov 2023 13:47:08 +0000
with message-id <[email protected]>
and subject line Bug#1054234: fixed in netty 1:4.1.48-7+deb12u1
has caused the Debian Bug report #1054234,
regarding netty: CVE-2023-44487
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1054234: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054234
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: netty
Version: 1:4.1.48-7
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1:4.1.48-4
Hi,
The following vulnerability was published for netty.
CVE-2023-44487[0]:
| The HTTP/2 protocol allows a denial of service (server resource
| consumption) because request cancellation can reset many streams
| quickly, as exploited in the wild in August through October 2023.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-44487
https://www.cve.org/CVERecord?id=CVE-2023-44487
[1] https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p
[2]
https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: netty
Source-Version: 1:4.1.48-7+deb12u1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
netty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated netty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 Nov 2023 13:46:30 CET
Source: netty
Architecture: source
Version: 1:4.1.48-7+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Checksums-Sha1:
7601716e4df2ea13d4717ac35ddafcbb58efd751 2601 netty_4.1.48-7+deb12u1.dsc
022ad0c0c76dd4ba14b1e44d11cf0b99f0feeb2b 1665244 netty_4.1.48.orig.tar.xz
949cc247c14b4bde3bb8a3376029c484f34a7a97 37364
netty_4.1.48-7+deb12u1.debian.tar.xz
478c59f6fb00e649f176b08214d860c15b43f5f1 15872
netty_4.1.48-7+deb12u1_amd64.buildinfo
Checksums-Sha256:
ffe416610620bd48bc14fa9efcd23b5c227d530b23247d4472d9d2c150090e3e 2601
netty_4.1.48-7+deb12u1.dsc
e5351d821f461f64af58e89f260ad8943b0ab75f26c1a845300a91f22a711600 1665244
netty_4.1.48.orig.tar.xz
b7ffc1cfba18527ec4a5b5cac071d3699e722209a1803cb55d1ebfa3b68a7063 37364
netty_4.1.48-7+deb12u1.debian.tar.xz
adeb93986013f4ec8d49d31b96a6f3ba1230b36b6cd6c09d69a04fa4bf3a29df 15872
netty_4.1.48-7+deb12u1_amd64.buildinfo
Closes: 1038947 1054234
Changes:
netty (1:4.1.48-7+deb12u1) bookworm-security; urgency=high
.
* Team upload.
Fix CVE-2023-34462: (Closes: #1038947)
Guard against high memory usage when parsing ClientHello messages.
* Fix CVE-2023-44487: (Closes: #1054234)
The HTTP/2 protocol allows a denial of service (server resource
consumption) because request cancellation can reset many streams quickly.
Files:
c18bf5853eb78e818bfc0fe2bfabd0ee 2601 java optional netty_4.1.48-7+deb12u1.dsc
ebc25581b3e2b6e1bb47200ba260a636 1665244 java optional netty_4.1.48.orig.tar.xz
02462e69e5a79744a9cb5b51c4c5718d 37364 java optional
netty_4.1.48-7+deb12u1.debian.tar.xz
8e10678b27fed6e3c3d04cba825668ea 15872 java optional
netty_4.1.48-7+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmVYskFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkwzQP/0MvGePDQDy+j3NOmC1eysZx7MQXbWbsYKBL
IFLz92TLQjoEFxFVw6f+crVimFXposHljIKYGjM6cEiQ66w8CS5cttoPpoYWJWHe
zK+gciDjXJ4YxpJR+dEDq9mJ1km1W7Uty4Qf2hp/o1N2D58+VQ7fnGA9exDcnPbo
NFhi77JuEEXpshqsGx/OTr/smFkBDHUcMMHo6YB1zRmjAd4WmZ65iLQuo8VjXm9E
/LRTcB7gBf7h0CZNz1UmGzTq6eFYgnCMLhDEPrJLBcbg5VdkEqgZCTsRmpF5gSyl
q5uvPAoQjo4NtDmcCh60VnlXS6iskkCo7HgxidqeUF2jlaxW6MtQ71qTXKochxKR
/KudY5SjJPaFreexxIG0JicmI9khU5FJ0M+QiB7/9rio1xukjlrnLFY5fI8MbmaY
ZilRxmLhorxY2FhMMvwbLJe0uGo4FbQG5+yYwpbwRITzXLNvz3YO5GakibHtEj0x
3KFBBNaCr4qtkV+9okThxHVbVKZTGpWZo7WMakF2LYrAiNp+oIVOVf2S2EA6NXFM
jdfwfqUbN+gfWbr1ffBw6GbtOshhFP2tjIu0YFLrpXGKFDQc5Y21lf5J/Fw8msmb
Yk3e/dh4CFHcYfBuumd3A7MtLFRcGxLE9uiU+hmlBbSeCJrjmodwiAN0l3PUJ7V+
Rn31f6O9
=TRMd
-----END PGP SIGNATURE-----
--- End Message ---
