Bugzilla – Bug 1169082
VUL-1: CVE-2020-10707: netty: compression/decompression codecs don't enforce limits on buffer allocation sizes
Last modified: 2022-04-07 09:23:47 UTC
CVE-2020-10707 A vulnerability was found in Netty in the way it handles the amount of data it compress and decompress. Compression/Decompression Codecs should enforce memory allocation size limits to avoid OOME or exhaust the memory pool. References: https://github.com/netty/netty/pull/9924 https://bugzilla.redhat.com/show_bug.cgi?id=1816216 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10707
CVE-2020-10707 appears to overlap with CVE-2020-11612 [0]. Detailed information is sparse but based on this comment [1], I assume CVE-2020-10707 extends the issue to all the other compression algorithms found in netty. We should wait for clarification. [0] https://bugzilla.suse.com/show_bug.cgi?id=1168932 [1] https://github.com/netty/netty/issues/6168#issuecomment-580746140
This is an autogenerated message for OBS integration: This bug (1169082) was mentioned in https://build.opensuse.org/request/show/792763 Factory / netty
(In reply to Wolfgang Frisch from comment #1) > CVE-2020-10707 appears to overlap with CVE-2020-11612 [0]. Detailed > information is sparse but based on this comment [1], I assume CVE-2020-10707 > extends the issue to all the other compression algorithms found in netty. > > We should wait for clarification. > > [0] https://bugzilla.suse.com/show_bug.cgi?id=1168932 > [1] https://github.com/netty/netty/issues/6168#issuecomment-580746140 FWIW, the entries in https://bugzilla.redhat.com/show_bug.cgi?id=1816216 have been updated to reference CVE-2020-11612 as the CVE-2020-10707 appeared to be a duplicate assignment.
fixed