<div class="container">
<h1>Security update for netty, netty-tcnative</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2023:2096-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1199338">#1199338</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1206360">#1206360</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1206379">#1206379</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2022-24823.html">CVE-2022-24823</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2022-41881.html">CVE-2022-41881</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2022-41915.html">CVE-2022-41915</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-24823</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.2</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-24823</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.5</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-41881</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-41881</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-41915</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-41915</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Development Tools Module 15-SP4</li>
<li class="list-group-item">openSUSE Leap 15.4</li>
<li class="list-group-item">SUSE Enterprise Storage 7</li>
<li class="list-group-item">SUSE Enterprise Storage 7.1</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP2</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP2</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP2</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP4</li>
<li class="list-group-item">SUSE Manager Proxy 4.3</li>
<li class="list-group-item">SUSE Manager Retail Branch Server 4.3</li>
<li class="list-group-item">SUSE Manager Server 4.3</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves three vulnerabilities and contains one feature can now be installed.</p>
<h2>Description:</h2>
<p>This update for netty, netty-tcnative fixes the following issues:</p>
<p>netty:</p>
<ul>
<li>Security fixes included in this version update from 4.1.75 to 4.1.90:</li>
<li>CVE-2022-24823: Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files for
Java 6 and lower in io.netty:netty-codec-http (bsc#1199338)</li>
<li>CVE-2022-41881: HAProxyMessageDecoder Stack Exhaustion DoS (bsc#1206360)</li>
<li>
<p>CVE-2022-41915: HTTP Response splitting from assigning header value iterator (bsc#1206379)</p>
</li>
<li>
<p>Other non-security bug fixes included in this version update from 4.1.75 to 4.1.90:</p>
</li>
<li>Build with Java 11 on ix86 architecture in order to avoid build failures </li>
<li>Fix <code>HttpHeaders.names</code> for non-String headers</li>
<li>Fix <code>FlowControlHandler</code> behaviour to pass read events when auto-reading is turned off</li>
<li>Fix brotli compression</li>
<li>Fix a bug in FlowControlHandler that broke auto-read</li>
<li>Fix a potential memory leak bug has been in the pooled allocator</li>
<li>Fix a scalability issue caused by instanceof and check-cast checks that lead to false-sharing on the
<code>Klass::secondary_super_cache</code> field in the JVM</li>
<li>Fix a bug in our <code>PEMParser</code> when PEM files have multiple objects, and <code>BouncyCastle</code> is on the classpath</li>
<li>Fix several <code>NullPointerException</code> bugs</li>
<li>Fix a regression <code>SslContext</code> private key loading</li>
<li>Fix a bug in <code>SslContext</code> private key reading fall-back path</li>
<li>Fix a buffer leak regression in <code>HttpClientCodec</code></li>
<li>Fix a bug where some <code>HttpMessage</code> implementations, that also implement <code>HttpContent</code>, were not handled correctly</li>
<li>Fix epoll bug when receiving zero-sized datagrams</li>
<li>Fix a bug in <code>SslHandler</code> so <code>handlerRemoved</code> works properly even if <code>handlerAdded</code> throws an exception</li>
<li>Fix an issue that allowed the multicast methods on <code>EpollDatagramChannel</code> to be called outside of an event-loop
thread</li>
<li>Fix a bug where an OPT record was added to DNS queries that already had such a record</li>
<li>Fix a bug that caused an error when files uploaded with HTTP POST contained a backslash in their name</li>
<li>Fix an issue in the <code>BlockHound</code> integration that could occasionally cause NetUtil to be reported as performing
blocking operation. A similar <code>BlockHound</code> issue was fixed for the <code>JdkSslContext</code></li>
<li>Fix a bug that prevented preface or settings frames from being flushed, when an HTTP2 connection was established
with prior-knowledge</li>
<li>Fix a bug where Netty fails to load a shaded native library</li>
<li>Fix and relax overly strict HTTP/2 header validation check that was rejecting requests from Chrome and Firefox</li>
<li>Fix OpenSSL and BoringSSL implementations to respect the <code>jdk.tls.client.protocols</code> and <code>jdk.tls.server.protocols</code>
system properties, making them react to these in the same way the JDK SSL provider does</li>
<li>Fix inconsitencies in how <code>epoll</code>, <code>kqueue</code>, and <code>NIO</code> handle RDHUP</li>
<li>For a more detailed list of changes please consult the official release notes:<ul>
<li>Changes from 4.1.90: https://netty.io/news/2023/03/14/4-1-90-Final.html</li>
<li>Changes from 4.1.89: https://netty.io/news/2023/02/13/4-1-89-Final.html</li>
<li>Changes from 4.1.88: https://netty.io/news/2023/02/12/4-1-88-Final.html</li>
<li>Changes from 4.1.87: https://netty.io/news/2023/01/12/4-1-87-Final.html</li>
<li>Changes from 4.1.86: https://netty.io/news/2022/12/12/4-1-86-Final.html</li>
<li>Changes from 4.1.85: https://netty.io/news/2022/11/09/4-1-85-Final.html</li>
<li>Changes from 4.1.84: https://netty.io/news/2022/10/11/4-1-84-Final.html</li>
<li>Changes from 4.1.82: https://netty.io/news/2022/09/13/4-1-82-Final.html</li>
<li>Changes from 4.1.81: https://netty.io/news/2022/09/08/4-1-81-Final.html</li>
<li>Changes from 4.1.80: https://netty.io/news/2022/08/26/4-1-80-Final.html</li>
<li>Changes from 4.1.79: https://netty.io/news/2022/07/11/4-1-79-Final.html</li>
<li>Changes from 4.1.78: https://netty.io/news/2022/06/14/4-1-78-Final.html</li>
<li>Changes from 4.1.77: https://netty.io/news/2022/05/06/2-1-77-Final.html</li>
<li>Changes from 4.1.76: https://netty.io/news/2022/04/12/4-1-76-Final.html</li>
</ul>
</li>
</ul>
<p>netty-tcnative:</p>
<ul>
<li>New artifact named <code>netty-tcnative-classes</code>, provided by this update is required by netty 4.1.90 which contains
important security updates</li>
<li>No formal changelog present. This artifact is closely bound to the netty releases</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE Important update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.4
<br/>
<code>zypper in -t patch openSUSE-SLE-15.4-2023-2096=1</code>
</li>
<li class="list-group-item">
Development Tools Module 15-SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2023-2096=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-2096=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-2096=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-2096=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Real Time 15 SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-RT-15-SP3-2023-2096=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-2096=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-2096=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP2
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-2096=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-2096=1</code>
</li>
<li class="list-group-item">
SUSE Enterprise Storage 7.1
<br/>
<code>zypper in -t patch SUSE-Storage-7.1-2023-2096=1</code>
</li>
<li class="list-group-item">
SUSE Enterprise Storage 7
<br/>
<code>zypper in -t patch SUSE-Storage-7-2023-2096=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
<ul>
<li>netty-tcnative-2.0.59-150200.3.10.1</li>
<li>netty-4.1.90-150200.4.14.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.4 (noarch)
<ul>
<li>netty-tcnative-javadoc-2.0.59-150200.3.10.1</li>
<li>netty-poms-4.1.90-150200.4.14.1</li>
<li>netty-javadoc-4.1.90-150200.4.14.1</li>
</ul>
</li>
<li>
Development Tools Module 15-SP4 (aarch64 ppc64le s390x x86_64)
<ul>
<li>netty-tcnative-2.0.59-150200.3.10.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64)
<ul>
<li>netty-tcnative-2.0.59-150200.3.10.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64 x86_64)
<ul>
<li>netty-tcnative-2.0.59-150200.3.10.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64)
<ul>
<li>netty-tcnative-2.0.59-150200.3.10.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Real Time 15 SP3 (x86_64)
<ul>
<li>netty-tcnative-2.0.59-150200.3.10.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64)
<ul>
<li>netty-tcnative-2.0.59-150200.3.10.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64)
<ul>
<li>netty-tcnative-2.0.59-150200.3.10.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
<ul>
<li>netty-tcnative-2.0.59-150200.3.10.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
<ul>
<li>netty-tcnative-2.0.59-150200.3.10.1</li>
</ul>
</li>
<li>
SUSE Enterprise Storage 7.1 (aarch64 x86_64)
<ul>
<li>netty-tcnative-2.0.59-150200.3.10.1</li>
</ul>
</li>
<li>
SUSE Enterprise Storage 7 (aarch64 x86_64)
<ul>
<li>netty-tcnative-2.0.59-150200.3.10.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2022-24823.html">https://www.suse.com/security/cve/CVE-2022-24823.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2022-41881.html">https://www.suse.com/security/cve/CVE-2022-41881.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2022-41915.html">https://www.suse.com/security/cve/CVE-2022-41915.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1199338">https://bugzilla.suse.com/show_bug.cgi?id=1199338</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1206360">https://bugzilla.suse.com/show_bug.cgi?id=1206360</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1206379">https://bugzilla.suse.com/show_bug.cgi?id=1206379</a>
</li>
<li>
<a href="https://jira.suse.com/browse/SLE-23217">https://jira.suse.com/browse/SLE-23217</a>
</li>
</ul>
</div>