Security update for aalto-xml, flatten-maven-plugin, jctools, moditect, netty, netty-tcnative SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:4407-1 Final 1 1 2024-12-23T08:49:34Z current 2024-12-23T08:49:34Z 2024-12-23T08:49:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for aalto-xml, flatten-maven-plugin, jctools, moditect, netty, netty-tcnative This update for aalto-xml, flatten-maven-plugin, jctools, moditect, netty, netty-tcnative fixes the following issues: - CVE-2024-47535: Fixed unsafe reading of large environment files when Netty is loaded by a java application can lead to a crash due to the JVM memory limit being exceeded in netty (bsc#1233297) Other fixes: - Upgraded netty to upstream version 4.1.115 - Upgraded netty-tcnative to version 2.0.69 Final - Updated jctools to version 4.0.5 - Updated aalto-xml to version 1.3.3 - Updated moditect to version 1.2.2 - Updated flatten-maven-plugin to version 1.6.0 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/manager/5.0/x86_64/server:latest-2024-4407,Image server-image-2024-4407,SUSE-2024-4407,SUSE-SLE-Module-Development-Tools-15-SP5-2024-4407,SUSE-SLE-Module-Development-Tools-15-SP6-2024-4407,SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-4407,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-4407,openSUSE-SLE-15.5-2024-4407,openSUSE-SLE-15.6-2024-4407 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20244407-1/ Link for SUSE-SU-2024:4407-1 https://lists.suse.com/pipermail/sle-security-updates/2024-December/020044.html E-Mail link for SUSE-SU-2024:4407-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1047218 SUSE Bug 1047218 https://bugzilla.suse.com/1233297 SUSE Bug 1233297 https://www.suse.com/security/cve/CVE-2024-47535/ SUSE CVE CVE-2024-47535 page Container suse/manager/5.0/x86_64/server:latest Image server-image SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP6 SUSE Linux Enterprise Module for Package Hub 15 SP5 SUSE Linux Enterprise Module for Package Hub 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 aalto-xml-1.3.3-150200.5.3.1 jctools-4.0.5-150200.3.9.1 netty-4.1.115-150200.4.26.1 aalto-xml-javadoc-1.3.3-150200.5.3.1 flatten-maven-plugin-1.6.0-150200.5.3.1 flatten-maven-plugin-javadoc-1.6.0-150200.5.3.1 jctools-channels-4.0.5-150200.3.9.1 jctools-experimental-4.0.5-150200.3.9.1 jctools-javadoc-4.0.5-150200.3.9.1 moditect-1.2.2-150200.5.3.1 moditect-javadoc-1.2.2-150200.5.3.1 netty-bom-4.1.115-150200.4.26.1 netty-javadoc-4.1.115-150200.4.26.1 netty-parent-4.1.115-150200.4.26.1 netty-tcnative-2.0.69-150200.3.22.1 netty-tcnative-javadoc-2.0.69-150200.3.22.1 netty-tcnative-openssl-dynamic-2.0.69-150200.3.22.1 aalto-xml-1.3.3-150200.5.3.1 as a component of Container suse/manager/5.0/x86_64/server:latest jctools-4.0.5-150200.3.9.1 as a component of Container suse/manager/5.0/x86_64/server:latest netty-4.1.115-150200.4.26.1 as a component of Container suse/manager/5.0/x86_64/server:latest aalto-xml-1.3.3-150200.5.3.1 as a component of Image server-image jctools-4.0.5-150200.3.9.1 as a component of Image server-image netty-4.1.115-150200.4.26.1 as a component of Image server-image netty-tcnative-2.0.69-150200.3.22.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 netty-tcnative-2.0.69-150200.3.22.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 jctools-4.0.5-150200.3.9.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 netty-4.1.115-150200.4.26.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 netty-javadoc-4.1.115-150200.4.26.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 jctools-4.0.5-150200.3.9.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 netty-4.1.115-150200.4.26.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 netty-javadoc-4.1.115-150200.4.26.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 jctools-4.0.5-150200.3.9.1 as a component of openSUSE Leap 15.5 jctools-channels-4.0.5-150200.3.9.1 as a component of openSUSE Leap 15.5 jctools-experimental-4.0.5-150200.3.9.1 as a component of openSUSE Leap 15.5 jctools-javadoc-4.0.5-150200.3.9.1 as a component of openSUSE Leap 15.5 netty-4.1.115-150200.4.26.1 as a component of openSUSE Leap 15.5 netty-javadoc-4.1.115-150200.4.26.1 as a component of openSUSE Leap 15.5 netty-tcnative-2.0.69-150200.3.22.1 as a component of openSUSE Leap 15.5 netty-tcnative-javadoc-2.0.69-150200.3.22.1 as a component of openSUSE Leap 15.5 jctools-4.0.5-150200.3.9.1 as a component of openSUSE Leap 15.6 jctools-channels-4.0.5-150200.3.9.1 as a component of openSUSE Leap 15.6 jctools-experimental-4.0.5-150200.3.9.1 as a component of openSUSE Leap 15.6 jctools-javadoc-4.0.5-150200.3.9.1 as a component of openSUSE Leap 15.6 netty-4.1.115-150200.4.26.1 as a component of openSUSE Leap 15.6 netty-javadoc-4.1.115-150200.4.26.1 as a component of openSUSE Leap 15.6 netty-tcnative-2.0.69-150200.3.22.1 as a component of openSUSE Leap 15.6 netty-tcnative-javadoc-2.0.69-150200.3.22.1 as a component of openSUSE Leap 15.6 Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115. CVE-2024-47535 Container suse/manager/5.0/x86_64/server:latest:aalto-xml-1.3.3-150200.5.3.1 Container suse/manager/5.0/x86_64/server:latest:jctools-4.0.5-150200.3.9.1 Container suse/manager/5.0/x86_64/server:latest:netty-4.1.115-150200.4.26.1 Image server-image:aalto-xml-1.3.3-150200.5.3.1 Image server-image:jctools-4.0.5-150200.3.9.1 Image server-image:netty-4.1.115-150200.4.26.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:netty-tcnative-2.0.69-150200.3.22.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:netty-tcnative-2.0.69-150200.3.22.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:jctools-4.0.5-150200.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:netty-4.1.115-150200.4.26.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:netty-javadoc-4.1.115-150200.4.26.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:jctools-4.0.5-150200.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:netty-4.1.115-150200.4.26.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:netty-javadoc-4.1.115-150200.4.26.1 openSUSE Leap 15.5:jctools-4.0.5-150200.3.9.1 openSUSE Leap 15.5:jctools-channels-4.0.5-150200.3.9.1 openSUSE Leap 15.5:jctools-experimental-4.0.5-150200.3.9.1 openSUSE Leap 15.5:jctools-javadoc-4.0.5-150200.3.9.1 openSUSE Leap 15.5:netty-4.1.115-150200.4.26.1 openSUSE Leap 15.5:netty-javadoc-4.1.115-150200.4.26.1 openSUSE Leap 15.5:netty-tcnative-2.0.69-150200.3.22.1 openSUSE Leap 15.5:netty-tcnative-javadoc-2.0.69-150200.3.22.1 openSUSE Leap 15.6:jctools-4.0.5-150200.3.9.1 openSUSE Leap 15.6:jctools-channels-4.0.5-150200.3.9.1 openSUSE Leap 15.6:jctools-experimental-4.0.5-150200.3.9.1 openSUSE Leap 15.6:jctools-javadoc-4.0.5-150200.3.9.1 openSUSE Leap 15.6:netty-4.1.115-150200.4.26.1 openSUSE Leap 15.6:netty-javadoc-4.1.115-150200.4.26.1 openSUSE Leap 15.6:netty-tcnative-2.0.69-150200.3.22.1 openSUSE Leap 15.6:netty-tcnative-javadoc-2.0.69-150200.3.22.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20244407-1/ https://www.suse.com/security/cve/CVE-2024-47535.html CVE-2024-47535 https://bugzilla.suse.com/1233297 SUSE Bug 1233297