Date: Sat, 16 May 2015 17:08:22 -0700 From: Luca Carettoni <luca.carettoni@...isoft.com> To: oss-security@...ts.openwall.com Subject: Netty/Play's Security Updates (CVE-2015-2156) During a recent assessment, we discovered a security flaw within Netty’s cookie parsing code which leads to a universal HttpOnly bypass in Play Framework and potentially other frameworks using Netty as a dependency. The issue has been fixed in Netty 3.9.8.Final, 3.10.3.Final, Netty 4.1.0.Beta5, Netty 4.0.28.Final and Play Framework 2.3.9. http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass Technical details of the vulnerability: http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156 Many other projects using Netty may be vulnerable to similar "side-effects" of the incorrect cookies parsing routine. We recommend that every project relying on Netty’s CookieDecoder method should mitigate the potential risk by upgrading to the latest version. Cheers, Luca -- Luca Carettoni
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.