Your message dated Sat, 11 Nov 2023 22:54:34 +0000 with message-id <e1r1ws6-00333s...@fasolo.debian.org> and subject line Bug#1054234: fixed in netty 1:4.1.48-8 has caused the Debian Bug report #1054234, regarding netty: CVE-2023-44487 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1054234: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054234 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: netty Version: 1:4.1.48-7 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1:4.1.48-4 Hi, The following vulnerability was published for netty. CVE-2023-44487[0]: | The HTTP/2 protocol allows a denial of service (server resource | consumption) because request cancellation can reset many streams | quickly, as exploited in the wild in August through October 2023. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44487 https://www.cve.org/CVERecord?id=CVE-2023-44487 [1] https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p [2] https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: netty Source-Version: 1:4.1.48-8 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of netty, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1054...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated netty package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 05 Nov 2023 21:07:13 +0100 Source: netty Architecture: source Version: 1:4.1.48-8 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1038947 1054234 Changes: netty (1:4.1.48-8) unstable; urgency=medium . * Team upload. * Fix CVE-2023-34462: (Closes: #1038947) Guard against high memory usage when parsing ClientHello messages. * Fix CVE-2023-44487: (Closes: #1054234) The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly. Checksums-Sha1: 099109e3fd09f666089646b349c9a24660beb05e 2569 netty_4.1.48-8.dsc f4c8f8d200fda87fc20794932262479a22a91544 37348 netty_4.1.48-8.debian.tar.xz f4dc0128f13e6feea7b2bce3904e6d0a916825b6 15786 netty_4.1.48-8_amd64.buildinfo Checksums-Sha256: b4427898035f61e41d1e552287f66e626982b2adb82a2f2c8d9f2cee4a93a2c2 2569 netty_4.1.48-8.dsc 6db53553a4e4c2bab10335559cf52b99a2c81562278537f133e06f89aa77992e 37348 netty_4.1.48-8.debian.tar.xz 4955cef3376271e43e213089ba138cff32819bd2e42eae99e1b3f6c31f8077d2 15786 netty_4.1.48-8_amd64.buildinfo Files: de556471ecbe2fb223a48f30540e80ea 2569 java optional netty_4.1.48-8.dsc 8a14bee6a845c0dea1c0dc7998c9dc6e 37348 java optional netty_4.1.48-8.debian.tar.xz e54944a999ddfd6fc473c5bba980de39 15786 java optional netty_4.1.48-8_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmVQAFpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkhKkP/04kJDSiIJo0x0qbx0fSXXsg1BzJHecv1XpP bFYolOg5VKWGT18u6cuVbidoHYcSg94ITyffwvvuaOAQw5CPnKPNN3elO1vvr4v6 45Sy+tfkyXQmerfsET+8PcUp5n8/bX1ehepHS7xGGYm4MbQxts7JXbE+veaWnXsh OmlKmIU3GRfAm4EUlHIie6zyimJv9xGzbsv8lB4W+5QKYkO1rTBzWUwd7wwNaH7H vrj2Jg16wGmXzYtW3X0GDkJ7JE0i5FFdeZSZK34HVN3V5E75a6dJMJ3sh4pexDUp IzU6/LuEE0pstDfwNYR/jJJX3+gY7lggyfFiJy21GU0/LWFezBvu6Bq1oyRR5F0a 0qt6w5G1DNue8OCqKHCLB/2sWG4Qecc2hBYFTC9VazV8WiIaFCtMzQkssNdyA8/j 6X3wXMWB5KV7Y92zvWD9fZBViX5SjKM/wBnf7pUHVm1E6qkKuvgBA/yJbek7xtdF EwH0/DKsPISNwpdfZoAoEBCczYlkrmHssa6JupTe9gvMuIkFr0hpTiREtbkI+lyP 1VrbVlAEBimhLth1V52it6MEJzIpIrjWDvmEfFLDpbZ7HnkoLR0p87x5fQO+Ldtg nbXfmuSsEaug5joFPfdNUGXYw9iSBqPLTZKwdRUiyfwfUPxSsQqfjkYiC9FsWCim 3QSOZq4t =tbJd -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
