Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 16 May 2015 17:08:22 -0700
From: Luca Carettoni <luca.carettoni@...isoft.com>
To: oss-security@...ts.openwall.com
Subject: Netty/Play's Security Updates (CVE­-2015­-2156)

During a recent assessment, we discovered a security flaw within Netty’s
cookie parsing code which leads to a universal HttpOnly bypass in Play
Framework and potentially other frameworks using Netty as a dependency.

The issue has been fixed in Netty 3.9.8.Final, 3.10.3.Final, Netty
4.1.0.Beta5, Netty 4.0.28.Final and Play Framework 2.3.9.

http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass

Technical details of the vulnerability:
http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156

Many other projects using Netty may be vulnerable to similar
"side­-effects" of the incorrect cookies parsing routine. We recommend that
every project relying on Netty’s CookieDecoder method should mitigate the
potential risk by upgrading to the latest version.

Cheers,
Luca

-- 

Luca Carettoni

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ