-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1108
           Red Hat build of Eclipse Vert.x 4.0.3 security update
                               1 April 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Eclipse Vert.x
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Provide Misleading Information -- Remote/Unauthenticated
                   Access Confidential Data       -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-21295 CVE-2021-21290 

Reference:         ESB-2021.1053
                   ESB-2021.0515

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:0943

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat build of Eclipse Vert.x 4.0.3 security update
Advisory ID:       RHSA-2021:0943-01
Product:           Red Hat OpenShift Application Runtimes
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0943
Issue date:        2021-03-31
CVE Names:         CVE-2021-21290 CVE-2021-21295 
=====================================================================

1. Summary:

An update is now available for Red Hat build of Eclipse Vert.x.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability. For
more information, see the CVE pages listed in the References section.

2. Description:

This release of Red Hat build of Eclipse Vert.x 4.0.3 includes security
updates, bug fixes, and enhancements. For more information, see the release
notes listed in the References section.

Security Fix(es):

* netty: Information disclosure via the local system temporary directory
(CVE-2021-21290)

* netty: possible request smuggling in HTTP/2 due missing validation
(CVE-2021-21295)

For more details about the security issues and their impact, the CVSS
score, acknowledgements, and other related information, see the CVE pages
listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link for the
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory
1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation

5. References:

https://access.redhat.com/security/cve/CVE-2021-21290
https://access.redhat.com/security/cve/CVE-2021-21295
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.eclipse.vertx&version=4.0.3
https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.0/html/release_notes_for_eclipse_vert.x_4.0/index
https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.0/html/eclipse_vert.x_4.0_migration_guide/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYGRDR9zjgjWX9erEAQh9IQ//ZWUE0Mj0hVag/gdeQVTB7VGQFbPje2oB
Rl6J7IfOBLNRa/mUN6MP8NezNeNtW/FUk71TwkyoIO1gesFlCdbd02qFnac19JBs
PADuR1kWKQlL6CsS9bhl4c84m3bw8AYqa7FsoOKjeWLcR2T3twafw0+LrL/aaUrd
Kj3l68L5DIZWpQ/o8uCGHxmq5Gz1H6XvYsH6m9w3Jmvq6v5psm7rRofYsj3UgWS2
3Uvc0ICmVAkLK1mc2Fqby23mUt2zMDdDjb0yEOE7UyIYD8MMZmn74SOH0yl/ZRmD
LmcFv8Se6TDEMCBwzVCXKCfE38GIx5Y0PiWpQ6NOmEziDmUFmWaOrHNvs98cgkd+
BKlLo98iBi0878oJpSImV0e5h/MzNi2R0EHUpdI6zWiMV+cqcPLpLr1N5xQqE1Q7
EH169GmOBqvUJxKh07bP8jICeJ3u8GssHwqQL5lQAV97AwVFc3JipIG922QhThMP
acpi3dmOP9F+wIXyIhv61g7ZWohH0edwxVhN+2LxIcNMBGXQtOHvOecyDTTWEcVx
gUJq2D/z4Y6aJPI5XaXrj4c0mtNGBMYqjWsQQdGdqPaFoIXq2UfZiNFIvIC4L/A+
6DTfUy9IIaOcroSu20NVfH7vWi0RDHT8l7aml3zK84kieZAcAuYwo3i8W3U93ZB6
adeqT0ijyKI=
=aIC7
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYGUKzeNLKJtyKPYoAQjM7g//Sz+ghKNBdGCNzaRUeYGVe3GQudMd+Qp8
MWCUJ405H9YlgsLmfDtoHOSfXchaXtYD3zpzOrumJeM0sk/8UB480RA5Xq1BegmY
Ll94vGiYR0E13KieMvxYBnT51/MQKCQZbqWwfy65NAo+mNaFdiRVWLUmEfDTLdD9
8e+AttZukFw9nHhBHMDstHjMzAicien+hMDDyUfu+/GQEINpY3bMGJ8DEImlYJMl
YhpibYbaj/sdZBRvtDJWLFoE8wyNyXujrk+fny0M4sjWgf9N8Z8CphjDlAXBZ0oa
OwJysnrXxEmgtq6Sj5DPnh9IcMXyXzlP4+pvZLqR2oLGqLigmk5ky8WMtkmUAnyj
/jQiLS6pfXKdibnELA7mF+DxKJfn9UW320oQW7VA+vpPBiaKqpQhDpd7EKymngG3
gLPLeoigiTVSP1oMgiLp89nDEizKPIEmIaPAdY2TG457UGJRcpAJRnOJsHKFQMBa
x17n+FYLuSFgiu6I6zPll6D8tVhMjeLEDtQi5ddjMt8vdjft2hTO9UfBYlN1Aqid
ur2leyyECB1l0LLywrTzU8N80Qj1m7HtuizBnHaSHuQcoKP8UthuWESTpPF9rG0t
U6NWLub0TF0RQglJTXgQntJ6fszR7iGG5FEN2jw3O1EiB4nwu8U9kirndLtgYPd3
vBxn29LCsow=
=SOJY
-----END PGP SIGNATURE-----