Your message dated Wed, 22 Nov 2023 13:17:52 +0000 with message-id <e1r5n72-001cii...@fasolo.debian.org> and subject line Bug#1054234: fixed in netty 1:4.1.48-4+deb11u2 has caused the Debian Bug report #1054234, regarding netty: CVE-2023-44487 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1054234: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054234 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: netty Version: 1:4.1.48-7 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1:4.1.48-4 Hi, The following vulnerability was published for netty. CVE-2023-44487[0]: | The HTTP/2 protocol allows a denial of service (server resource | consumption) because request cancellation can reset many streams | quickly, as exploited in the wild in August through October 2023. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44487 https://www.cve.org/CVERecord?id=CVE-2023-44487 [1] https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p [2] https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: netty Source-Version: 1:4.1.48-4+deb11u2 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of netty, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1054...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated netty package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 18 Nov 2023 16:09:25 CET Source: netty Architecture: source Version: 1:4.1.48-4+deb11u2 Distribution: bullseye-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Checksums-Sha1: d2c651c3cc29e98665bb27dbfd1b67db88d52d70 2622 netty_4.1.48-4+deb11u2.dsc b01b05f9fca5c4ee80b0c0c4ee75475a0ebce908 37064 netty_4.1.48-4+deb11u2.debian.tar.xz 3ad5e636e0894f8306a1442961f0efb0a94d5c7d 14954 netty_4.1.48-4+deb11u2_amd64.buildinfo Checksums-Sha256: a605b017f053f165a59fb4555c57ac2d8ce6b3d1b6162928f00f92bf7abbd22d 2622 netty_4.1.48-4+deb11u2.dsc da70b5249e2fb8bb9ddfc67ebfd66d7b22cd75f167a57dabe61566c7214febe9 37064 netty_4.1.48-4+deb11u2.debian.tar.xz a94eb32aa83c00f6296600258db21e3b47519667f130c45ea8464e1b20c69909 14954 netty_4.1.48-4+deb11u2_amd64.buildinfo Closes: 1038947 1054234 Changes: netty (1:4.1.48-4+deb11u2) bullseye-security; urgency=high . * Team upload. * Fix CVE-2023-34462: (Closes: #1038947) Guard against high memory usage when parsing ClientHello messages. * Fix CVE-2023-44487: (Closes: #1054234) The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly. * Add 21-java-17.patch to fix a FTBFS with newer OpenJDK versions. Files: 291c38ddf1aa2459863fa5daaacb7da1 2622 java optional netty_4.1.48-4+deb11u2.dsc 23dea7306330e74f926abc69fbc8315c 37064 java optional netty_4.1.48-4+deb11u2.debian.tar.xz d7c918222f63d325835b6953d8c19879 14954 java optional netty_4.1.48-4+deb11u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmVY06lfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk8WUP+gO+KsnbE6VRNVNVZB2FJRHxsESx141uqJLs 31ag8bsmsnDIozT7BOGjEkUUeQvHcfI9x6TZHpYWI6K0aF+J1p8R+gJwQ2mw2OaB tkmLeQrcVO+hWwNE39jYW93q2v6wxaRnh7dGXx5SsTwnx/AQ7Z11TrtYowY4h8ty 8cKwpdpy0EKQ56zFomHIS+ywws5vDVQxh8cyr7UUlQjc1RD6ON9Zt0IKynZ2Jm6/ b2sbJCHUFfkUC0kAEdkpYHTF9WYSbhtWcc+xNyxLh91RVq9xT7eSVv/ViYX345H+ L/qlPOL3494e0IiFMdE3pmkageyvCPDYc/rDF+++XVzseeBPKsvZ0sHzTii3bNHD 8w2kFWjZgGdV5i66Y0/B81i5hZwwxwwhvJlw16QNME9lmoLzRmvroHCYWo/zH1MG 9+r2UlS64WyhQfYCuj8ggW1tgN4sUedKsBX4GyfXNyw1sep7YRYEB0xurRAGO6SU VrVVRhLxpYTE19nmBauiVMiMX1z8n1XW5FIWIe9EK1onfNk1vwCokjVIIfYuGUAK qMTpH7RvUzZbh0//gyeqiJH8cJQIiB5Kfab1ZVv8TsJJyJLZ8HIJzTTB9/7mh2a1 T52TlmkwGeOV8kGGnBkGUoCAnWbdsSmP480G2GxdzjhNh6CwtlBJMLNYw8YxRmE4 MOMc3l98 =GQnK -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
