Source: netty X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for netty. CVE-2023-34462[0]: | Netty is an asynchronous event-driven network application framework | for rapid development of maintainable high performance protocol | servers & clients. The `SniHandler` can allocate up to 16MB of heap | for each channel during the TLS handshake. When the handler or the | channel does not have an idle timeout, it can be used to make a TCP | server using the `SniHandler` to allocate 16MB of heap. The | `SniHandler` class is a handler that waits for the TLS handshake to | configure a `SslHandler` according to the indicated server name by | the `ClientHello` record. For this matter it allocates a `ByteBuf` | using the value defined in the `ClientHello` record. Normally the | value of the packet should be smaller than the handshake packet but | there are not checks done here and the way the code is written, it | is possible to craft a packet that makes the | `SslClientHelloHandler`. This vulnerability has been fixed in | version 4.1.94.Final. https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845 https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-34462 https://www.cve.org/CVERecord?id=CVE-2023-34462 Please adjust the affected versions in the BTS as needed.