Debian-LTS has issued an advisory on February 11: https://www.debian.org/lts/security/2021/dla-2555 The issue is fixed upstream in 4.1.59: https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2 Mageia 7 and Mageia 8 are also affected. Mageia 7 is in Bug 26019.
Blocks: (none) => 26019Status comment: (none) => Fixed upstream in 4.1.59Whiteboard: (none) => MGA8TOO
package pushed in mga8: src: - netty-4.1.51-1.1.mga8
Assignee: java => qa-bugsCC: (none) => mageiaStatus comment: Fixed upstream in 4.1.59 => (none)Version: Cauldron => 8
Package list: netty-4.1.51-1.1.mga8 netty-javadoc-4.1.51-1.1.mga8
Whiteboard: MGA8TOO => (none)
Advisory: ======================== Updated netty packages fix security vulnerability: When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled (CVE-2021-21290) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21290 https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
No installation issues. Search Bugzilla for previous netty updates, and found Bug 23974. After some attempts at a valid test, Herman and Len agreed to OK this on a clean install. Sounds good to me. Validating. Advisory in Comment 3.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
CVE: (none) => CVE-2021-21290Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0136.html
Status: NEW => RESOLVEDResolution: (none) => FIXED