On 06/18/2016 11:51 AM, Salvatore Bonaccorso wrote: > Source: netty > Version: 1:4.0.36-2 > Severity: important > Tags: security upstream > > Hi, > > the following vulnerability was published for netty. Can you please > double-check this issue. According the upstream all versions > 4.0.0.Final - 4.0.36.Final and 4.1.0.Final would be affected, and > fixed in 4.1.1.Final, according to [1]. > > CVE-2016-4970[0]: > Infinite loop vulnerability when handling renegotiation using > SslProvider.OpenSsl > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-4970 > [1] http://netty.io/news/2016/06/07/4-1-1-Final.html > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore
Hi Salvatore, Based on the notes in [2], I have uploaded 4.0.37 to unstable, which should take care of the CVE in unstable and testing. This will give the Java Team a moment to discuss strategy regarding 4.0.x vs. 4.1.x. I haven't seen any information as to whether this vulnerability also affects the version in stable, 3.2.6. Cheers, tony [2] http://netty.io/news/2016/06/07/4-0-37-Final.html
signature.asc
Description: OpenPGP digital signature