Bug 13559

Summary: [CVE 21] netty 4.1.13 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: a.proklov, e.kosachev, i.gaptrakhmanov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2023-34462,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-08-24 00:21:59 MSK 
Please patch CVEs for package netty version 4.1.13
  
INFO (CVEs are): netty 4.1.13
 cves found
CVE-2023-34462
Desc: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34462
Severity: MEDIUM
Comment 1 ilfat 2023-09-06 14:48:34 MSK 
********** QA ADVISORY **********

CVE-2023-34462 не затрагивает netty 4.1.13
(SslClientHelloHandler представлен в версии 4.1.46)

Добавил запись в спек для игнорирования сканером уязвимостей.
Пересобрал для обновления srpm.


https://abf.rosalinux.ru/build_lists/4681062 aarch64
https://abf.rosalinux.ru/build_lists/4681061 x86_64
Comment 2 Dmitry Postnikov 2023-09-07 12:53:26 MSK 
***************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-09-12 08:52:58 MSK 
netty-4.1.13-13
https://abf.rosalinux.ru/build_lists/4681062 aarch64
https://abf.rosalinux.ru/build_lists/4681061 x86_64
**************************** Advisory ************************
Rebuild for ignore CVE
**************************************************************
QA Verified
Comment 4 Yury 2023-10-19 13:01:53 MSK 
secteam_verified