CVE-2015-2156

NameCVE-2015-2156
DescriptionNetty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0 ...
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs646523, 793770, 796114

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
netty (PTS)jessie, jessie (lts)1:3.2.6.Final-2+deb8u2vulnerable
stretch1:4.1.7-2+deb9u1fixed
stretch (security)1:4.1.7-2+deb9u3fixed
buster, buster (security)1:4.1.33-1+deb10u2fixed
sid, bookworm, bullseye1:4.1.48-4fixed
netty-3.9 (PTS)jessie, jessie (lts)3.9.0.Final-1+deb8u1vulnerable
stretch3.9.9.Final-1fixed
stretch (security)3.9.9.Final-1+deb9u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nettysource(unstable)1:4.0.31-1796114
netty-3.9source(unstable)3.9.9.Final-1793770
netty3.1source(unstable)(unfixed)
playframeworkITP646523

Notes

[wheezy] - netty3.1 <no-dsa> (Minor issue)
[jessie] - netty <ignored> (Minor issue, invasive patch)
[wheezy] - netty <no-dsa> (Minor issue)
[squeeze] - netty <no-dsa> (Minor issue)
[jessie] - netty-3.9 <ignored> (Minor issue, invasive patch)
http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
http://web.archive.org/web/20150925094949/http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156
https://github.com/netty/netty/commit/97d871a7553a01384b43df855dccdda5205ae77a

Search for package or bug name: Reporting problems