Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFThDPGYiVLj3ZBVTQKYA+yMVMsDruCjCQEyGTjTeoGjXAfKDg@mail.gmail.com>
Date: Sat, 16 May 2015 17:08:22 -0700
From: Luca Carettoni <luca.carettoni@...isoft.com>
To: oss-security@...ts.openwall.com
Subject: Netty/Play's Security Updates (CVE­-2015­-2156)

During a recent assessment, we discovered a security flaw within Netty’s
cookie parsing code which leads to a universal HttpOnly bypass in Play
Framework and potentially other frameworks using Netty as a dependency.

The issue has been fixed in Netty 3.9.8.Final, 3.10.3.Final, Netty
4.1.0.Beta5, Netty 4.0.28.Final and Play Framework 2.3.9.

http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass

Technical details of the vulnerability:
http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156

Many other projects using Netty may be vulnerable to similar
"side­-effects" of the incorrect cookies parsing routine. We recommend that
every project relying on Netty’s CookieDecoder method should mitigate the
potential risk by upgrading to the latest version.

Cheers,
Luca

-- 

Luca Carettoni

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.