Bug 28446

Summary: netty new security issue CVE-2021-21290
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: netty-4.1.51-1.mga8.src.rpm CVE: CVE-2021-21290
Status comment:
Bug Depends on:    
Bug Blocks: 26019    

Description David Walser 2021-02-26 17:13:48 CET 
Debian-LTS has issued an advisory on February 11:
https://www.debian.org/lts/security/2021/dla-2555

The issue is fixed upstream in 4.1.59:
https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2

Mageia 7 and Mageia 8 are also affected.

Mageia 7 is in Bug 26019.
David Walser 2021-02-26 17:14:10 CET

Blocks: (none) => 26019
Status comment: (none) => Fixed upstream in 4.1.59
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Lécureuil 2021-02-28 21:18:27 CET 
package pushed in mga8:

src:
     - netty-4.1.51-1.1.mga8

Assignee: java => qa-bugs
CC: (none) => mageia
Status comment: Fixed upstream in 4.1.59 => (none)
Version: Cauldron => 8

Comment 2 David Walser 2021-03-01 17:48:58 CET 
Package list:
netty-4.1.51-1.1.mga8
netty-javadoc-4.1.51-1.1.mga8

Whiteboard: MGA8TOO => (none)

Comment 3 David Walser 2021-03-03 02:03:02 CET 
Advisory:
========================

Updated netty packages fix security vulnerability:

When netty's multipart decoders are used local information disclosure can occur
via the local system temporary directory if temporary storing uploads on the
disk is enabled (CVE-2021-21290)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21290
https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
Comment 4 Thomas Andrews 2021-03-14 00:25:20 CET 
No installation issues.

Search Bugzilla for previous netty updates, and found Bug 23974. After some attempts at a valid test, Herman and Len agreed to OK this on a clean install. 

Sounds good to me. Validating. Advisory in Comment 3.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Aurelien Oudelet 2021-03-14 16:50:52 CET 
Advisory pushed to SVN.

CVE: (none) => CVE-2021-21290
Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 6 Mageia Robot 2021-03-14 22:22:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0136.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED