[SECURITY] [DSA 5558-1] netty security update

2023-11-1816:33:00

lists.debian.org

security advisory

outofmemoryerror

debian

java nio

denial of service

netty

tls

http/2

rapid reset attack

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.9 High

AI Score

Confidence

Low

0.732 High

EPSS

Percentile

98.1%

JSON

Debian Security Advisory DSA-5558-1 [email protected]
https://www.debian.org/security/ Markus Koschany
November 18, 2023 https://www.debian.org/security/faq

Package : netty
CVE ID : CVE-2023-34462 CVE-2023-44487
Debian Bug : 1038947 1054234

Two security vulnerabilities have been discovered in Netty, a Java NIO
client/server socket framework.

CVE-2023-34462

It might be possible for a remote peer to send a client hello packet during
a TLS handshake which lead the server to buffer up to 16 MB of data per
connection. This could lead to a OutOfMemoryError and so result in a denial
of service.

CVE-2023-44487

The HTTP/2 protocol allowed a denial of service (server resource
consumption) because request cancellation can reset many streams quickly.
This problem is also known as Rapid Reset Attack.

For the oldstable distribution (bullseye), these problems have been fixed
in version 1:4.1.48-4+deb11u2.

For the stable distribution (bookworm), these problems have been fixed in
version 1:4.1.48-7+deb12u1.

We recommend that you upgrade your netty packages.

For the detailed security status of netty please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/netty

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian11ppc64ellibnghttp2-14-dbgsym< 1.43.0-1+deb11u1libnghttp2-14-dbgsym_1.43.0-1+deb11u1_ppc64el.deb
Debian11mips64elnghttp2-client< 1.43.0-1+deb11u1nghttp2-client_1.43.0-1+deb11u1_mips64el.deb
Debian10armhftrafficserver-dev< 8.1.7-0+deb10u3trafficserver-dev_8.1.7-0+deb10u3_armhf.deb
Debian11i386trafficserver-experimental-plugins-dbgsym< 8.1.9+ds-1~deb11u1trafficserver-experimental-plugins-dbgsym_8.1.9+ds-1~deb11u1_i386.deb
Debian12i386libnghttp2-14-dbgsym< 1.52.0-1+deb12u1libnghttp2-14-dbgsym_1.52.0-1+deb12u1_i386.deb
Debian10arm64libnghttp2-dev< 1.36.0-2+deb10u2libnghttp2-dev_1.36.0-2+deb10u2_arm64.deb
Debian11mips64elnghttp2-client-dbgsym< 1.43.0-1+deb11u1nghttp2-client-dbgsym_1.43.0-1+deb11u1_mips64el.deb
Debian12amd64trafficserver< 9.2.3+ds-1+deb12u1+b2trafficserver_9.2.3+ds-1+deb12u1+b2_amd64.deb
Debian12armelnghttp2-proxy< 1.52.0-1+deb12u1nghttp2-proxy_1.52.0-1+deb12u1_armel.deb
Debian12alltomcat10-user< 10.1.6-1+deb12u1tomcat10-user_10.1.6-1+deb12u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	ppc64el	libnghttp2-14-dbgsym	< 1.43.0-1+deb11u1	libnghttp2-14-dbgsym_1.43.0-1+deb11u1_ppc64el.deb
Debian	11	mips64el	nghttp2-client	< 1.43.0-1+deb11u1	nghttp2-client_1.43.0-1+deb11u1_mips64el.deb
Debian	10	armhf	trafficserver-dev	< 8.1.7-0+deb10u3	trafficserver-dev_8.1.7-0+deb10u3_armhf.deb
Debian	11	i386	trafficserver-experimental-plugins-dbgsym	< 8.1.9+ds-1~deb11u1	trafficserver-experimental-plugins-dbgsym_8.1.9+ds-1~deb11u1_i386.deb
Debian	12	i386	libnghttp2-14-dbgsym	< 1.52.0-1+deb12u1	libnghttp2-14-dbgsym_1.52.0-1+deb12u1_i386.deb
Debian	10	arm64	libnghttp2-dev	< 1.36.0-2+deb10u2	libnghttp2-dev_1.36.0-2+deb10u2_arm64.deb
Debian	11	mips64el	nghttp2-client-dbgsym	< 1.43.0-1+deb11u1	nghttp2-client-dbgsym_1.43.0-1+deb11u1_mips64el.deb
Debian	12	amd64	trafficserver	< 9.2.3+ds-1+deb12u1+b2	trafficserver_9.2.3+ds-1+deb12u1+b2_amd64.deb
Debian	12	armel	nghttp2-proxy	< 1.52.0-1+deb12u1	nghttp2-proxy_1.52.0-1+deb12u1_armel.deb
Debian	12	all	tomcat10-user	< 10.1.6-1+deb12u1	tomcat10-user_10.1.6-1+deb12u1_all.deb