Bug#827620: netty: CVE-2016-4970: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl
Hi Emmanuel, On Mon, Jun 20, 2016 at 10:07:04AM +0200, Emmanuel Bourg wrote: > Le 19/06/2016 à 00:18, tony mancill a écrit : > > > I haven't seen any information as to whether this vulnerability also > > affects the version in stable, 3.2.6. > > I don't think Jessie is affected, the vulnerable code relies on > netty-tcnative which is in testing/unstable only. The OpenSSL > integration didn't seem to exist in netty 3.2.x. Thanks for confirming! Regards, Salvatore
Bug#827620: netty: CVE-2016-4970: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl
Le 19/06/2016 à 00:18, tony mancill a écrit : > I haven't seen any information as to whether this vulnerability also > affects the version in stable, 3.2.6. I don't think Jessie is affected, the vulnerable code relies on netty-tcnative which is in testing/unstable only. The OpenSSL integration didn't seem to exist in netty 3.2.x. Emmanuel Bourg
Bug#827620: netty: CVE-2016-4970: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl
On 06/18/2016 11:51 AM, Salvatore Bonaccorso wrote: > Source: netty > Version: 1:4.0.36-2 > Severity: important > Tags: security upstream > > Hi, > > the following vulnerability was published for netty. Can you please > double-check this issue. According the upstream all versions > 4.0.0.Final - 4.0.36.Final and 4.1.0.Final would be affected, and > fixed in 4.1.1.Final, according to [1]. > > CVE-2016-4970[0]: > Infinite loop vulnerability when handling renegotiation using > SslProvider.OpenSsl > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-4970 > [1] http://netty.io/news/2016/06/07/4-1-1-Final.html > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore Hi Salvatore, Based on the notes in [2], I have uploaded 4.0.37 to unstable, which should take care of the CVE in unstable and testing. This will give the Java Team a moment to discuss strategy regarding 4.0.x vs. 4.1.x. I haven't seen any information as to whether this vulnerability also affects the version in stable, 3.2.6. Cheers, tony [2] http://netty.io/news/2016/06/07/4-0-37-Final.html signature.asc Description: OpenPGP digital signature
Bug#827620: netty: CVE-2016-4970: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl
Source: netty Version: 1:4.0.36-2 Severity: important Tags: security upstream Hi, the following vulnerability was published for netty. Can you please double-check this issue. According the upstream all versions 4.0.0.Final - 4.0.36.Final and 4.1.0.Final would be affected, and fixed in 4.1.1.Final, according to [1]. CVE-2016-4970[0]: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-4970 [1] http://netty.io/news/2016/06/07/4-1-1-Final.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
