LTS report October 2023 ======================= This month's highlights revolved around CVE-2023-44487 (Rapid Reset Attack) which affected several web servers in Debian. Tomcat, Jetty and Netty were affected in the Java ecosystem. I tried to solve this problem with a top-down approach because it became quickly apparent that the changes were huge and non-trivial even in more recent versions. There have been several improvements and prerequisites over the years for the HTTP/2 protocol implementation and not all of them were marked as such in the upstream security advisories. 1. DSA-5521-1. I reviewed a security update of tomcat10, prepared by Emmanuel Bourg, and issued a security update fixing 5 CVE in Bookworm. 2. DSA-5522-1. Reviewed a security update of tomcat9, prepared by Emmanuel Bourg, and issued a security update fixing 5 CVE in Bullseye. 3. DSA-5522-2. I investigated a regression (#1053820) caused by the patch for CVE-2023-44487, found the root cause of the problem and sent a patch to Emmanuel Bourg who prepared a regression update. 4. DLA-3617-1. Then I released a security update of tomcat9 fixing 5 CVE in Buster. 5. DSA-5522-3. Another regression was found in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack), which was not detected by the extensive Tomcat test suite unfortunately. A wrong value for the overheadcount variable forced connections to close early. I debugged the problem and sent the patch to Emmanuel Bourg for a review. The update was released as DSA-5522-3. 6. DLA-3617-2. Issued a regression update for tomcat9 in Buster to address the same problem as in Bullseye. 7. DLA-3622-1. Issued a security update for axis fixing 1 CVE in Buster. For consistency reasons I also prepared point updates for Bullseye (#1054121) and Bookworm (#1054122). 8. DSA-5540-1. Issued a security update for jetty9 fixing 2 CVE in Bullseye and Bookworm 9. DLA-3641-1. Issued a security update for jetty9 fixing 3 CVE in Buster. The Jetty 9 diff for Bookworm was already > 300KB large which increased even more for Bullseye and Buster. We ship the 9.4.x series in all aforementioned Debian distributions. I decided to spend the time on backporting the most recent 9.4.50 version instead of trying to reinvent the wheel. I sucessfully rebuilt all reverse-dependencies and had to make some small adjustments for Buster (servlet-api-3 instead of servlet-api-4). This should also enable us to extend Jetty 9 security support because it has officially reached its end-of-life now, according to the Jetty developers. A more recent code base with better test coverage helps a lot in achieving this goal. 10. I investigated CVE-2023-46852 and CVE-2023-46853 in memcached and triaged both CVE as not-affected because the vulnerable code for proxies was introduced in later releases. 11. DLA-3647-1. Issued a security update for trapperkeeper-webserver-jetty9-clojure. Adam Barratt discovered a regression in PuppetDB (#1055348) due to the Jetty 9 upgrade in Buster. More specifically trapperkeeper-webserver-jetty9-clojure still used a deprecated class. Newer Jetty 9 versions upgraded the warning to an error message which caused this runtime problem. 12. I triaged CVE-2023-5632 as not affected in mosquitto because the vulnerable code was introduced in later versions. I decided to mark CVE-2023-28366 as ignored because the potential memory leak requires a rewrite of packet handling core functions. The risk of regressions is thus rather high. An upgrade to the version in Bullseye would be a sensible approach because this version has an excellent test coverage. At the moment I tend to ignore this problem because of the regression risks involved. 13. I have been working on fixing CVE-2023-34462 and CVE-2023-44487 in netty. As with the other web servers / servlet engines I started with the latest version which is 1:4.1.48-7 in sid/trixie/bookworm and the rather similar 1:4.1.48-4+deb11u1 in bullseye. I will upload the package very soon but I intend to wait a few more days before I upload to Buster.