Affected by Netty security issues CVE-2014-3488 and CVE-2014-0193? #140
Comments
|
Is anyone able to work on this? |
|
I'm still trying to find someone to work on this. Unfortunately I'm not able to do it myself. Any volunteers? |
|
I'm not using Webbit anymore, so I can't justify working on this. From what I remember we got stuck on the 3.6.5 version of Netty due to several backwards incompatible changes in later versions. Moving to a more recent 3.x.y version would require significant changes to the codebase. Moving to 4.x.y would require a rewrite of large parts of Webbit. |
|
Do you recall more specifically what the significant changes are? In fixing On Tue, Feb 17, 2015 at 12:53 AM, Aslak Hellesøy notifications@github.com
|
|
@stesla I don't remember the specifics - it's nearly 2 years ago. |
The latest release seems to be v0.4.19 but the HISTORY.md stopps at 0.4.15 (2013-04-26). After that there were at least two security issues in Netty:
CVE-2014-3488
Summary: The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
Published: 7/31/2014 10:55:02 AM
CVSS Severity: 5.0 MEDIUM
CVE-2014-0193
Summary: WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.
Published: 5/6/2014 10:55:05 AM
CVSS Severity: 5.0 MEDIUM
As the current pom.xml still only requires Netty 3.6.5.Final, Webbit seems to be vulnerable.
Could you clarify that and add the CVE Ids to the HISTORY.md so that it's easier to check for users?
The text was updated successfully, but these errors were encountered: