Bug#793770: Cookie parsing bug may lead to 'HttpOnly' cookie bypass (CVE-2015-2156)
Moritz Muehlenhoff
jmm at inutil.org
Mon Jan 9 22:37:40 UTC 2017
severity 793770 grave
thanks
On Mon, Jul 27, 2015 at 11:51:53AM +0200, Luca Bruno wrote:
> Source: netty-3.9
> Version: 3.9.0.Final-1
> Severity: important
> Tags: security upstream patch
>
> LinkedIn Security Team discovered a "Cookie" header parsing bug in Netty
> that could lead to universal bypass of the HttpOnly flag on cookies.
>
> If the HttpOnly flag is included in the HTTP Set-Cookie response header,
> the cookie cannot usually be accessed through client-side script.
> This bug can be however leveraged to leak the cookie's name-value in the DOM,
> where a malicious script can access the content without any restriction.
>
> CVE-2015-2156 has been assigned for this issue, which has been fixed upstream
> in release 3.9.8.Final and 3.10.3.Final.
> Please mention the CVE ID in the changelog when fixing this issue.
>
> References:
> * Security update
> http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
> * Issue technical details / PoC
> http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156
> * Fixing commit
> https://github.com/slandelle/netty/commit/800555417e77029dcf8a31d7de44f27b5a8f79b8
This is unfixed with a patch for nearly 1.5 years, can we please get this
fixed for the stretch release.
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list