<div class="container">
    <h1>Security update for netty, netty-tcnative</h1>

    <table class="table table-striped table-bordered">
        <tbody>
        <tr>
            <th>Announcement ID:</th>
            <td>SUSE-SU-2023:2096-2</td>
        </tr>
        
        <tr>
            <th>Rating:</th>
            <td>important</td>
        </tr>
        <tr>
            <th>References:</th>
            <td>
                <ul>
                    
                        <li style="display: inline;">
                            <a href="https://bugzilla.suse.com/show_bug.cgi?id=1199338">#1199338</a>
                        </li>
                    
                        <li style="display: inline;">
                            <a href="https://bugzilla.suse.com/show_bug.cgi?id=1206360">#1206360</a>
                        </li>
                    
                        <li style="display: inline;">
                            <a href="https://bugzilla.suse.com/show_bug.cgi?id=1206379">#1206379</a>
                        </li>
                    
                </ul>
            </td>
        </tr>
        
            <tr>
                <th>
                    Cross-References:
                </th>
                <td>
                    <ul>
                    
                        <li style="display: inline;">
                            <a href="https://www.suse.com/security/cve/CVE-2022-24823.html">CVE-2022-24823</a>
                        </li>
                    
                        <li style="display: inline;">
                            <a href="https://www.suse.com/security/cve/CVE-2022-41881.html">CVE-2022-41881</a>
                        </li>
                    
                        <li style="display: inline;">
                            <a href="https://www.suse.com/security/cve/CVE-2022-41915.html">CVE-2022-41915</a>
                        </li>
                    
                    </ul>
                </td>
            </tr>
            <tr>
                <th>CVSS scores:</th>
                <td>
                    <ul class="list-group">
                        
                            <li class="list-group-item">
                                <span class="cvss-reference">CVE-2022-24823</span>
                                <span class="cvss-source">
                                    (
                                    
                                        SUSE
                                    
                                    ):
                                </span>
                                <span class="cvss-score">6.2</span>
                                <span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
                            </li>
                        
                            <li class="list-group-item">
                                <span class="cvss-reference">CVE-2022-24823</span>
                                <span class="cvss-source">
                                    (
                                    
                                        NVD
                                    
                                    ):
                                </span>
                                <span class="cvss-score">5.5</span>
                                <span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</span>
                            </li>
                        
                            <li class="list-group-item">
                                <span class="cvss-reference">CVE-2022-41881</span>
                                <span class="cvss-source">
                                    (
                                    
                                        SUSE
                                    
                                    ):
                                </span>
                                <span class="cvss-score">7.5</span>
                                <span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
                            </li>
                        
                            <li class="list-group-item">
                                <span class="cvss-reference">CVE-2022-41881</span>
                                <span class="cvss-source">
                                    (
                                    
                                        NVD
                                    
                                    ):
                                </span>
                                <span class="cvss-score">5.3</span>
                                <span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</span>
                            </li>
                        
                            <li class="list-group-item">
                                <span class="cvss-reference">CVE-2022-41915</span>
                                <span class="cvss-source">
                                    (
                                    
                                        SUSE
                                    
                                    ):
                                </span>
                                <span class="cvss-score">7.5</span>
                                <span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</span>
                            </li>
                        
                            <li class="list-group-item">
                                <span class="cvss-reference">CVE-2022-41915</span>
                                <span class="cvss-source">
                                    (
                                    
                                        NVD
                                    
                                    ):
                                </span>
                                <span class="cvss-score">6.5</span>
                                <span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N</span>
                            </li>
                        
                    </ul>
                </td>
            </tr>
        
        <tr>
            <th>Affected Products:</th>
            <td>
                <ul class="list-group">
                    
                        <li class="list-group-item">Development Tools Module 15-SP5</li>
                    
                        <li class="list-group-item">openSUSE Leap 15.5</li>
                    
                        <li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP5</li>
                    
                        <li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
                    
                        <li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP5</li>
                    
                        <li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
                    
                        <li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
                    
                        <li class="list-group-item">SUSE Package Hub 15 15-SP5</li>
                    
                </ul>
            </td>
        </tr>
        </tbody>
    </table>

    <p>An update that solves three vulnerabilities and contains one feature can now be installed.</p>

    <h2>Description:</h2>
    <p>This update for netty, netty-tcnative fixes the following issues:</p>
<p>netty:</p>
<ul>
<li>Security fixes included in this version update from 4.1.75 to 4.1.90:</li>
<li>CVE-2022-24823: Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files for
    Java 6 and lower in io.netty:netty-codec-http (bsc#1199338)</li>
<li>CVE-2022-41881: HAProxyMessageDecoder Stack Exhaustion DoS (bsc#1206360)</li>
<li>
<p>CVE-2022-41915: HTTP Response splitting from assigning header value iterator (bsc#1206379)</p>
</li>
<li>
<p>Other non-security bug fixes included in this version update from 4.1.75 to 4.1.90:</p>
</li>
<li>Build with Java 11 on ix86 architecture in order to avoid build failures </li>
<li>Fix <code>HttpHeaders.names</code> for non-String headers</li>
<li>Fix <code>FlowControlHandler</code> behaviour to pass read events when auto-reading is turned off</li>
<li>Fix brotli compression</li>
<li>Fix a bug in FlowControlHandler that broke auto-read</li>
<li>Fix a potential memory leak bug has been in the pooled allocator</li>
<li>Fix a scalability issue caused by instanceof and check-cast checks that lead to false-sharing on the 
    <code>Klass::secondary_super_cache</code> field in the JVM</li>
<li>Fix a bug in our <code>PEMParser</code> when PEM files have multiple objects, and <code>BouncyCastle</code> is on the classpath</li>
<li>Fix several <code>NullPointerException</code> bugs</li>
<li>Fix a regression <code>SslContext</code> private key loading</li>
<li>Fix a bug in <code>SslContext</code> private key reading fall-back path</li>
<li>Fix a buffer leak regression in <code>HttpClientCodec</code></li>
<li>Fix a bug where some <code>HttpMessage</code> implementations, that also implement <code>HttpContent</code>, were not handled correctly</li>
<li>Fix epoll bug when receiving zero-sized datagrams</li>
<li>Fix a bug in <code>SslHandler</code> so <code>handlerRemoved</code> works properly even if <code>handlerAdded</code> throws an exception</li>
<li>Fix an issue that allowed the multicast methods on <code>EpollDatagramChannel</code> to be called outside of an event-loop 
    thread</li>
<li>Fix a bug where an OPT record was added to DNS queries that already had such a record</li>
<li>Fix a bug that caused an error when files uploaded with HTTP POST contained a backslash in their name</li>
<li>Fix an issue in the <code>BlockHound</code> integration that could occasionally cause NetUtil to be reported as performing
    blocking operation. A similar <code>BlockHound</code> issue was fixed for the <code>JdkSslContext</code></li>
<li>Fix a bug that prevented preface or settings frames from being flushed, when an HTTP2 connection was established
    with prior-knowledge</li>
<li>Fix a bug where Netty fails to load a shaded native library</li>
<li>Fix and relax overly strict HTTP/2 header validation check that was rejecting requests from Chrome and Firefox</li>
<li>Fix OpenSSL and BoringSSL implementations to respect the <code>jdk.tls.client.protocols</code> and <code>jdk.tls.server.protocols</code>
    system properties, making them react to these in the same way the JDK SSL provider does</li>
<li>Fix inconsitencies in how <code>epoll</code>, <code>kqueue</code>, and <code>NIO</code> handle RDHUP</li>
<li>For a more detailed list of changes please consult the official release notes:<ul>
<li>Changes from 4.1.90: https://netty.io/news/2023/03/14/4-1-90-Final.html</li>
<li>Changes from 4.1.89: https://netty.io/news/2023/02/13/4-1-89-Final.html</li>
<li>Changes from 4.1.88: https://netty.io/news/2023/02/12/4-1-88-Final.html</li>
<li>Changes from 4.1.87: https://netty.io/news/2023/01/12/4-1-87-Final.html</li>
<li>Changes from 4.1.86: https://netty.io/news/2022/12/12/4-1-86-Final.html</li>
<li>Changes from 4.1.85: https://netty.io/news/2022/11/09/4-1-85-Final.html</li>
<li>Changes from 4.1.84: https://netty.io/news/2022/10/11/4-1-84-Final.html</li>
<li>Changes from 4.1.82: https://netty.io/news/2022/09/13/4-1-82-Final.html</li>
<li>Changes from 4.1.81: https://netty.io/news/2022/09/08/4-1-81-Final.html</li>
<li>Changes from 4.1.80: https://netty.io/news/2022/08/26/4-1-80-Final.html</li>
<li>Changes from 4.1.79: https://netty.io/news/2022/07/11/4-1-79-Final.html</li>
<li>Changes from 4.1.78: https://netty.io/news/2022/06/14/4-1-78-Final.html</li>
<li>Changes from 4.1.77: https://netty.io/news/2022/05/06/2-1-77-Final.html</li>
<li>Changes from 4.1.76: https://netty.io/news/2022/04/12/4-1-76-Final.html</li>
</ul>
</li>
</ul>
<p>netty-tcnative:</p>
<ul>
<li>New artifact named <code>netty-tcnative-classes</code>, provided by this update is required by netty 4.1.90 which contains 
  important security updates</li>
<li>No formal changelog present. This artifact is closely bound to the netty releases</li>
</ul>

    

    <h2>Patch Instructions:</h2>
    <p>
        To install this SUSE Important update use the SUSE recommended
        installation methods like YaST online_update or "zypper patch".<br/>

        Alternatively you can run the command listed for your product:
    </p>
    <ul class="list-group">
        
            <li class="list-group-item">
                openSUSE Leap 15.5
                
                    
                        <br/>
                        <code>zypper in -t patch openSUSE-SLE-15.5-2023-2096=1</code>
                    
                    
                
            </li>
        
            <li class="list-group-item">
                Development Tools Module 15-SP5
                
                    
                        <br/>
                        <code>zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2023-2096=1</code>
                    
                    
                
            </li>
        
            <li class="list-group-item">
                SUSE Package Hub 15 15-SP5
                
                    
                        <br/>
                        <code>zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-2096=1</code>
                    
                    
                
            </li>
        
    </ul>

    <h2>Package List:</h2>
    <ul>
        
            
                <li>
                    openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
                    <ul>
                        
                            <li>netty-tcnative-2.0.59-150200.3.10.1</li>
                        
                            <li>netty-4.1.90-150200.4.14.1</li>
                        
                    </ul>
                </li>
            
                <li>
                    openSUSE Leap 15.5 (noarch)
                    <ul>
                        
                            <li>netty-tcnative-javadoc-2.0.59-150200.3.10.1</li>
                        
                            <li>netty-javadoc-4.1.90-150200.4.14.1</li>
                        
                            <li>netty-poms-4.1.90-150200.4.14.1</li>
                        
                    </ul>
                </li>
            
        
            
                <li>
                    Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64)
                    <ul>
                        
                            <li>netty-tcnative-2.0.59-150200.3.10.1</li>
                        
                    </ul>
                </li>
            
        
            
                <li>
                    SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
                    <ul>
                        
                            <li>netty-4.1.90-150200.4.14.1</li>
                        
                    </ul>
                </li>
            
                <li>
                    SUSE Package Hub 15 15-SP5 (noarch)
                    <ul>
                        
                            <li>netty-javadoc-4.1.90-150200.4.14.1</li>
                        
                            <li>netty-poms-4.1.90-150200.4.14.1</li>
                        
                    </ul>
                </li>
            
        
    </ul>

    
        <h2>References:</h2>
        <ul>
            
                
                    <li>
                        <a href="https://www.suse.com/security/cve/CVE-2022-24823.html">https://www.suse.com/security/cve/CVE-2022-24823.html</a>
                    </li>
                
            
                
                    <li>
                        <a href="https://www.suse.com/security/cve/CVE-2022-41881.html">https://www.suse.com/security/cve/CVE-2022-41881.html</a>
                    </li>
                
            
                
                    <li>
                        <a href="https://www.suse.com/security/cve/CVE-2022-41915.html">https://www.suse.com/security/cve/CVE-2022-41915.html</a>
                    </li>
                
            
                
                    <li>
                        <a href="https://bugzilla.suse.com/show_bug.cgi?id=1199338">https://bugzilla.suse.com/show_bug.cgi?id=1199338</a>
                    </li>
                
            
                
                    <li>
                        <a href="https://bugzilla.suse.com/show_bug.cgi?id=1206360">https://bugzilla.suse.com/show_bug.cgi?id=1206360</a>
                    </li>
                
            
                
                    <li>
                        <a href="https://bugzilla.suse.com/show_bug.cgi?id=1206379">https://bugzilla.suse.com/show_bug.cgi?id=1206379</a>
                    </li>
                
            
                
                    <li>
                        <a href="https://jira.suse.com/browse/SLE-23217">https://jira.suse.com/browse/SLE-23217</a>
                    </li>
                
            
        </ul>
    
</div>