Debian has issued an advisory on January 3: https://www.debian.org/security/2020/dsa-4597 The issue is fixed upstream in 4.1.42. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 4.1.42
Debian-LTS has issued an advisory today (February 19): https://www.debian.org/lts/security/2020/dla-2109 It fixes three new issues (one due to an incomplete fix for the original issue in this bug) which are fixed upstream in 4.1.44.
Status comment: Fixed upstream in 4.1.42 => Fixed upstream in 4.1.44Summary: netty new security issue CVE-2019-16869 => netty new security issue CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2020-7238
Debian-LTS has issued an advisory on September 4: https://www.debian.org/lts/security/2020/dla-2364 It fixes a new issue, fixed upstream in 4.1.46. I noticed we still have netty3 packaged too, and Debian-LTS fixed some of these issues for that on September 4: https://www.debian.org/lts/security/2020/dla-2365
Severity: major => criticalSummary: netty new security issue CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2020-7238 => netty, netty3 new security issues CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2020-7238, CVE-2020-11612Status comment: Fixed upstream in 4.1.44 => Fixed upstream in 4.1.46Source RPM: netty-4.1.13-2.mga8.src.rpm => netty-4.1.13-2.mga8.src.rpm, netty3-3.10.6-4.mga8.src.rpm
Ubuntu has issued an advisory for some of these issues on September 22: https://ubuntu.com/security/notices/USN-4532-1
Fedora has issued an advisory for this today (September 25): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/
Ubuntu has issued an advisory for some of these issues on October 27: https://ubuntu.com/security/notices/USN-4600-2
*** Bug 27828 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu
not an issue in cauldron, we have netty 4.1.51
Version: Cauldron => 7CC: (none) => mageiaWhiteboard: MGA7TOO => (none)
Also netty3 was dropped.
Source RPM: netty-4.1.13-2.mga8.src.rpm, netty3-3.10.6-4.mga8.src.rpm => netty-4.1.13-1.mga7.src.rpm, netty3-3.10.6-2.mga7.src.rpm
Debian-LTS has issued an advisory on February 11: https://www.debian.org/lts/security/2021/dla-2555 The issue is fixed upstream in 4.1.59: https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
Summary: netty, netty3 new security issues CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2020-7238, CVE-2020-11612 => netty, netty3 new security issues CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2020-7238, CVE-2020-11612, CVE-2021-21290Status comment: Fixed upstream in 4.1.46 => Fixed upstream in 4.1.59
Depends on: (none) => 28446
Depends on: (none) => 28985
Debian has issued an advisory on April 5: https://www.debian.org/security/2021/dsa-4885 The issues are fixed upstream in 4.1.61.
Status comment: Fixed upstream in 4.1.59 => Fixed upstream in 4.1.61Summary: netty, netty3 new security issues CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2020-7238, CVE-2020-11612, CVE-2021-21290 => netty, netty3 new security issues CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2020-7238, CVE-2020-11612, CVE-2021-21290, CVE-2021-21295, CVE-2021-21409
openSUSE has issued an advisory for CVE-2021-21295 on March 19: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XDF63Q7PJ5ZO6J24Z3YJ7WWZWTTROVC2/ They patched the same netty version we have in Mageia 7.
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Resolution: (none) => OLDStatus: NEW => RESOLVED