Bug 11048

Summary: [Update Request] netty (CVE-2021-21290)
Product: [ROSA-based products] ROSA Fresh Reporter: Zombie Ryushu <zombie.ryushu>
Component: Packages from MainAssignee: ROSA Linux Bugs <bugs>
Status: CONFIRMED --- QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: alzim, andrey.bondrov, denis.silakov, m.novosyolov, mc2374
Version: KDE4   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://advisories.mageia.org/MGASA-2021-0136.html
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier: CVE-2020-11612
RPM Package: netty-4.1.13-1.mga7.src ISO-related:
Bad POT generating: Upstream:

Description Zombie Ryushu 2020-12-15 15:35:41 MSK 
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
Comment 1 Zombie Ryushu 2021-03-22 07:55:52 MSK 
When netty's multipart decoders are used local information disclosure can occur
via the local system temporary directory if temporary storing uploads on the
disk is enabled (CVE-2021-21290).