Bugzilla – Bug 1206360
VUL-0: CVE-2022-41881: netty: Infinte recursion in HAProxyMessageDecoder
Last modified: 2024-05-03 09:22:08 UTC
CVE-2022-41881 Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41881 https://www.cve.org/CVERecord?id=CVE-2022-41881 https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v
Affected: - SUSE:SLE-15-SP2:Update/netty 4.1.75 - SUSE:SLE-15-SP2:Update:Products:Manager41:Update/netty 4.1.44 - SUSE:SLE-15-SP3:Update:Products:Manager42:Update/netty 4.1.44 - SUSE:SLE-15-SP4:Update:Products:Manager43:Update/netty 4.1.44 - openSUSE:Backports:SLE-15-SP3/netty 4.1.13 Not Affected: - SUSE:SLE-15-SP2:Update/netty3 3.10.6 - openSUSE:Factory/netty3 3.10.6
SUSE-SU-2023:2096-1: An update that solves three vulnerabilities and contains one feature can now be installed. Category: security (important) Bug References: 1199338, 1206360, 1206379 CVE References: CVE-2022-24823, CVE-2022-41881, CVE-2022-41915 Jira References: SLE-23217 Sources used: openSUSE Leap 15.4 (src): netty-tcnative-2.0.59-150200.3.10.1, netty-4.1.90-150200.4.14.1 Development Tools Module 15-SP4 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise Real Time 15 SP3 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Enterprise Storage 7.1 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Enterprise Storage 7 (src): netty-tcnative-2.0.59-150200.3.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2096-2: An update that solves three vulnerabilities and contains one feature can now be installed. Category: security (important) Bug References: 1199338, 1206360, 1206379 CVE References: CVE-2022-24823, CVE-2022-41881, CVE-2022-41915 Jira References: SLE-23217 Sources used: openSUSE Leap 15.5 (src): netty-tcnative-2.0.59-150200.3.10.1, netty-4.1.90-150200.4.14.1 Development Tools Module 15-SP5 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Package Hub 15 15-SP5 (src): netty-4.1.90-150200.4.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is fixed, but since it is a security issue, I am not closing it myself.
done, closing