Bug#982580: netty: CVE-2021-21290
Salvatore Bonaccorso
carnil at debian.org
Fri Feb 12 06:42:07 GMT 2021
Source: netty
Version: 1:4.1.48-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 1:4.1.33-1+deb10u1
Control: found -1 1:4.1.33-1
Hi,
The following vulnerability was published for netty.
CVE-2021-21290[0]:
| Netty is an open-source, asynchronous event-driven network application
| framework for rapid development of maintainable high performance
| protocol servers & clients. In Netty before version 4.1.59.Final
| there is a vulnerability on Unix-like systems involving an insecure
| temp file. When netty's multipart decoders are used local information
| disclosure can occur via the local system temporary directory if
| temporary storing uploads on the disk is enabled. On unix-like
| systems, the temporary directory is shared between all user. As such,
| writing to this directory using APIs that do not explicitly set the
| file/directory permissions can lead to information disclosure. Of
| note, this does not impact modern MacOS Operating Systems. The method
| "File.createTempFile" on unix-like systems creates a random file, but,
| by default will create this file with the permissions "-rw-r--r--".
| Thus, if sensitive information is written to this file, other local
| users can read this information. This is the case in netty's
| "AbstractDiskHttpData" is vulnerable. This has been fixed in version
| 4.1.59.Final. As a workaround, one may specify your own
| "java.io.tmpdir" when you start the JVM or use
| "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to
| something that is only readable by the current user.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21290
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21290
[1] https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
[2] https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list