Candidate: CVE-2015-2156
PublicDate: 2017-10-18 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156
 http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
 https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
 http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156
 https://github.com/slandelle/netty/commit/800555417e77029dcf8a31d7de44f27b5a8f79b8
Description:
 Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before
 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before
 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies
 and obtain sensitive information by leveraging improper validation of
 cookie name and value characters.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796114
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793770
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646523
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]

Patches_netty3.1:
upstream_netty3.1: needs-triage
precise_netty3.1: ignored (reached end-of-life)
precise/esm_netty3.1: DNE (precise was needed)
trusty_netty3.1: ignored (reached end-of-life)
trusty/esm_netty3.1: DNE (trusty was needed)
vivid_netty3.1: ignored (reached end-of-life)
vivid/stable-phone-overlay_netty3.1: DNE
vivid/ubuntu-core_netty3.1: DNE
wily_netty3.1: DNE
xenial_netty3.1: DNE
yakkety_netty3.1: DNE
zesty_netty3.1: DNE
artful_netty3.1: DNE
bionic_netty3.1: DNE
cosmic_netty3.1: DNE
disco_netty3.1: DNE
eoan_netty3.1: DNE
focal_netty3.1: DNE
groovy_netty3.1: DNE
hirsute_netty3.1: DNE
impish_netty3.1: DNE
jammy_netty3.1: DNE
devel_netty3.1: DNE

Patches_netty:
upstream_netty: released (3.9.9.Final-1, 1:4.0.31-1, 1:4.1.7-2)
precise_netty: ignored (reached end-of-life)
precise/esm_netty: DNE (precise was needed)
trusty_netty: ignored (out of standard support)
trusty/esm_netty: needed
vivid_netty: ignored (reached end-of-life)
vivid/stable-phone-overlay_netty: DNE
vivid/ubuntu-core_netty: DNE
wily_netty: ignored (reached end-of-life)
xenial_netty: not-affected (1:4.0.34-1)
yakkety_netty: ignored (reached end-of-life)
zesty_netty: ignored (reached end-of-life)
artful_netty: ignored (reached end-of-life)
bionic_netty: not-affected (1:4.0.34-1)
cosmic_netty: not-affected (1:4.0.34-1)
disco_netty: not-affected (1:4.0.34-1)
eoan_netty: not-affected (1:4.0.34-1)
focal_netty: not-affected (1:4.0.34-1)
groovy_netty: not-affected (1:4.0.34-1)
hirsute_netty: not-affected (1:4.0.34-1)
impish_netty: not-affected (1:4.0.34-1)
jammy_netty: not-affected (1:4.0.34-1)
devel_netty: not-affected (1:4.0.34-1)

Patches_netty-3.9:
 upstream: https://github.com/slandelle/netty/commit/52b80e50ded14b44ea3e4cbd30e5d7f864f88d85
upstream_netty-3.9: released (3.9.9.Final-1)
precise_netty-3.9: DNE
precise/esm_netty-3.9: DNE
trusty_netty-3.9: DNE
trusty/esm_netty-3.9: DNE
vivid_netty-3.9: ignored (reached end-of-life)
vivid/stable-phone-overlay_netty-3.9: DNE
vivid/ubuntu-core_netty-3.9: DNE
wily_netty-3.9: ignored (reached end-of-life)
xenial_netty-3.9: ignored (end of standard support, was needed)
yakkety_netty-3.9: ignored (reached end-of-life)
zesty_netty-3.9: ignored (reached end-of-life)
artful_netty-3.9: ignored (reached end-of-life)
bionic_netty-3.9: not-affected (3.9.9.Final-1)
cosmic_netty-3.9: not-affected (3.9.9.Final-1)
disco_netty-3.9: DNE
eoan_netty-3.9: DNE
focal_netty-3.9: DNE
groovy_netty-3.9: DNE
hirsute_netty-3.9: DNE
impish_netty-3.9: DNE
jammy_netty-3.9: DNE
devel_netty-3.9: DNE