You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by GitBox <gi...@apache.org> on 2021/02/22 03:19:58 UTC
[GitHub] [servicecomb-java-chassis] Xrzser opened a new issue #2245: 目前使用的Netty 4.1.47.Final版本存在致命漏洞
Xrzser opened a new issue #2245:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2245
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the ca
se in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [servicecomb-java-chassis] liubao68 commented on issue #2245: 目前使用的Netty 4.1.47.Final版本存在安全漏洞
Posted by GitBox <gi...@apache.org>.
liubao68 commented on issue #2245:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2245#issuecomment-825340457
fixed in 2.2.0
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [servicecomb-java-chassis] liubao68 closed issue #2245: 目前使用的Netty 4.1.47.Final版本存在安全漏洞
Posted by GitBox <gi...@apache.org>.
liubao68 closed issue #2245:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2245
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org