Source: netty Version: 1:4.1.48-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 1:4.1.33-1+deb10u1 Control: found -1 1:4.1.33-1
Hi, The following vulnerability was published for netty. CVE-2021-21290[0]: | Netty is an open-source, asynchronous event-driven network application | framework for rapid development of maintainable high performance | protocol servers & clients. In Netty before version 4.1.59.Final | there is a vulnerability on Unix-like systems involving an insecure | temp file. When netty's multipart decoders are used local information | disclosure can occur via the local system temporary directory if | temporary storing uploads on the disk is enabled. On unix-like | systems, the temporary directory is shared between all user. As such, | writing to this directory using APIs that do not explicitly set the | file/directory permissions can lead to information disclosure. Of | note, this does not impact modern MacOS Operating Systems. The method | "File.createTempFile" on unix-like systems creates a random file, but, | by default will create this file with the permissions "-rw-r--r--". | Thus, if sensitive information is written to this file, other local | users can read this information. This is the case in netty's | "AbstractDiskHttpData" is vulnerable. This has been fixed in version | 4.1.59.Final. As a workaround, one may specify your own | "java.io.tmpdir" when you start the JVM or use | "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to | something that is only readable by the current user. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-21290 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21290 [1] https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2 [2] https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec Please adjust the affected versions in the BTS as needed. Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
