High severity7.5NVD Advisory· Published Oct 18, 2017· Updated May 13, 2026
CVE-2015-2156
CVE-2015-2156
Description
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.netty:netty-parentMaven | >= 4.0.0, < 4.0.28.Final | 4.0.28.Final |
org.jboss.netty:nettyMaven | < 3.9.8.Final | 3.9.8.Final |
org.jboss.netty:nettyMaven | >= 3.10.0, < 3.10.3.Final | 3.10.3.Final |
io.netty:nettyMaven | >= 3.10.0, < 3.10.3.Final | 3.10.3.Final |
io.netty:nettyMaven | < 3.9.8.Final | 3.9.8.Final |
Affected products
110cpe:2.3:a:lightbend:play_framework:2.0.2:*:*:*:*:*:*:*+ 37 more
- cpe:2.3:a:lightbend:play_framework:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.5:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.8:*:*:*:*:*:*:*
cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*+ 35 more
- cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*range: <=3.9.7
- cpe:2.3:a:netty:netty:3.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.25:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.1.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.1.0:beta4:*:*:*:*:*:*
cpe:2.3:a:playframework:play_framework:2.0:*:*:*:*:*:*:*+ 35 more
- cpe:2.3:a:playframework:play_framework:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.0:beta:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.1:2.9.x-backport:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.1:rc1-2.9.x-backport:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:m1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:m2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:m3:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.2:rc3:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.2:rc4:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.3:m1:*:*:*:*:*:*
Patches
29 files changed · +31 −31
src/main/java/org/jboss/netty/handler/codec/http/cookie/ClientCookieDecoder.java+6 −6 modified@@ -154,7 +154,7 @@ private static class CookieBuilder { private final DefaultCookie cookie; private String domain; private String path; - private long maxAge = Long.MIN_VALUE; + private int maxAge = Integer.MIN_VALUE; private String expires; private boolean secure; private boolean httpOnly; @@ -163,18 +163,18 @@ public CookieBuilder(DefaultCookie cookie) { this.cookie = cookie; } - private long mergeMaxAgeAndExpire(long maxAge, String expires) { + private int mergeMaxAgeAndExpire(int maxAge, String expires) { // max age has precedence over expires - if (maxAge != Long.MIN_VALUE) { + if (maxAge != Integer.MIN_VALUE) { return maxAge; } else if (expires != null) { Date expiresDate = HttpHeaderDateFormat.get().parse(expires, new ParsePosition(0)); if (expiresDate != null) { long maxAgeMillis = expiresDate.getTime() - System.currentTimeMillis(); - return maxAgeMillis / 1000 + (maxAgeMillis % 1000 != 0 ? 1 : 0); + return (int) (maxAgeMillis / 1000 + (maxAgeMillis % 1000 != 0 ? 1 : 0)); } } - return Long.MIN_VALUE; + return Integer.MIN_VALUE; } public Cookie cookie() { @@ -239,7 +239,7 @@ private void setExpire(String value) { private void setMaxAge(String value) { try { - maxAge = Math.max(Long.valueOf(value), 0L); + maxAge = Math.max(Integer.valueOf(value), 0); } catch (NumberFormatException e1) { // ignore failure to parse -> treat as session cookie }
src/main/java/org/jboss/netty/handler/codec/http/cookie/Cookie.java+4 −4 modified@@ -87,22 +87,22 @@ public interface Cookie extends Comparable<Cookie> { void setPath(String path); /** - * Returns the maximum age of this {@link Cookie} in seconds or {@link Long#MIN_VALUE} if unspecified + * Returns the maximum age of this {@link Cookie} in seconds or {@link Integer#MIN_VALUE} if unspecified * * @return The maximum age of this {@link Cookie} */ - long maxAge(); + int maxAge(); /** * Sets the maximum age of this {@link Cookie} in seconds. * If an age of {@code 0} is specified, this {@link Cookie} will be * automatically removed by browser because it will expire immediately. - * If {@link Long#MIN_VALUE} is specified, this {@link Cookie} will be removed when the + * If {@link Integer#MIN_VALUE} is specified, this {@link Cookie} will be removed when the * browser is closed. * * @param maxAge The maximum age of this {@link Cookie} in seconds */ - void setMaxAge(long maxAge); + void setMaxAge(int maxAge); /** * Checks to see if this {@link Cookie} is secure
src/main/java/org/jboss/netty/handler/codec/http/CookieDecoder.java+2 −2 modified@@ -138,7 +138,7 @@ public Set<Cookie> decode(String header) { String commentURL = null; String domain = null; String path = null; - long maxAge = Long.MIN_VALUE; + int maxAge = Integer.MIN_VALUE; List<Integer> ports = new ArrayList<Integer>(2); for (int j = i + 1; j < names.size(); j++, i++) { @@ -165,7 +165,7 @@ public Set<Cookie> decode(String header) { HttpHeaderDateFormat.get().parse(value).getTime() - System.currentTimeMillis(); - maxAge = maxAgeMillis / 1000 + (maxAgeMillis % 1000 != 0? 1 : 0); + maxAge = (int) (maxAgeMillis / 1000 + (maxAgeMillis % 1000 != 0? 1 : 0)); } catch (ParseException e) { // Ignore. }
src/main/java/org/jboss/netty/handler/codec/http/cookie/DefaultCookie.java+3 −3 modified@@ -25,7 +25,7 @@ public class DefaultCookie implements Cookie { private boolean wrap; private String domain; private String path; - private long maxAge = Long.MIN_VALUE; + private int maxAge = Integer.MIN_VALUE; private boolean secure; private boolean httpOnly; @@ -105,11 +105,11 @@ public void setPath(String path) { this.path = validateValue("path", path); } - public long maxAge() { + public int maxAge() { return maxAge; } - public void setMaxAge(long maxAge) { + public void setMaxAge(int maxAge) { this.maxAge = maxAge; }
src/main/java/org/jboss/netty/handler/codec/http/Cookie.java+6 −6 modified@@ -20,7 +20,7 @@ /** * An interface defining an * <a href="http://en.wikipedia.org/wiki/HTTP_cookie">HTTP cookie</a>. - * @deprecated Use {@link io.netty.handler.codec.http.cookie.Cookie} instead. + * @deprecated Use {@link org.jboss.netty.handler.codec.http.cookie.Cookie} instead. */ @Deprecated public interface Cookie extends org.jboss.netty.handler.codec.http.cookie.Cookie { @@ -79,31 +79,31 @@ public interface Cookie extends org.jboss.netty.handler.codec.http.cookie.Cookie * @deprecated Use {@link #maxAge()} instead. */ @Deprecated - long getMaxAge(); + int getMaxAge(); /** - * Returns the maximum age of this {@link Cookie} in seconds or {@link Long#MIN_VALUE} if unspecified + * Returns the maximum age of this {@link Cookie} in seconds or {@link Integer#MIN_VALUE} if unspecified * * @return The maximum age of this {@link Cookie} * * @deprecated Not part of RFC6265 */ @Deprecated - long maxAge(); + int maxAge(); /** * Sets the maximum age of this {@link Cookie} in seconds. * If an age of {@code 0} is specified, this {@link Cookie} will be * automatically removed by browser because it will expire immediately. - * If {@link Long#MIN_VALUE} is specified, this {@link Cookie} will be removed when the + * If {@link Integer#MIN_VALUE} is specified, this {@link Cookie} will be removed when the * browser is closed. * * @param maxAge The maximum age of this {@link Cookie} in seconds * * @deprecated Not part of RFC6265 */ @Deprecated - void setMaxAge(long maxAge); + void setMaxAge(int maxAge); /** * @deprecated Use {@link #version()} instead.
src/main/java/org/jboss/netty/handler/codec/http/cookie/ServerCookieEncoder.java+1 −1 modified@@ -93,7 +93,7 @@ public String encode(Cookie cookie) { add(buf, name, value); } - if (cookie.maxAge() != Long.MIN_VALUE) { + if (cookie.maxAge() != Integer.MIN_VALUE) { add(buf, CookieHeaderNames.MAX_AGE, cookie.maxAge()); Date expires = new Date(cookie.maxAge() * 1000 + System.currentTimeMillis()); add(buf, CookieHeaderNames.EXPIRES, HttpHeaderDateFormat.get().format(expires));
src/main/java/org/jboss/netty/handler/codec/http/DefaultCookie.java+1 −1 modified@@ -154,7 +154,7 @@ public void setPorts(Iterable<Integer> ports) { } @Deprecated - public long getMaxAge() { + public int getMaxAge() { return maxAge(); }
src/test/java/org/jboss/netty/handler/codec/http/cookie/ClientCookieDecoderTest.java+4 −4 modified@@ -172,11 +172,11 @@ public void testDecodingGoogleAnalyticsCookie() { @Test public void testDecodingLongDates() { Calendar cookieDate = Calendar.getInstance(TimeZone.getTimeZone("UTC")); - cookieDate.set(9999, Calendar.DECEMBER, 31, 23, 59, 59); - long expectedMaxAge = (cookieDate.getTimeInMillis() - System - .currentTimeMillis()) / 1000; + cookieDate.set(2080, Calendar.DECEMBER, 31, 23, 59, 59); + int expectedMaxAge = (int)((cookieDate.getTimeInMillis() - System + .currentTimeMillis()) / 1000); - String source = "Format=EU; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/"; + String source = "Format=EU; expires=Fri, 31-Dec-2080 23:59:59 GMT; path=/"; Cookie cookie = ClientCookieDecoder.STRICT.decode(source);
src/test/java/org/jboss/netty/handler/codec/http/CookieDecoderTest.java+4 −4 modified@@ -207,7 +207,7 @@ public void testDecodingClientSideCookies() { assertNull(c.getCommentUrl()); assertNull(c.getDomain()); assertTrue(c.getPorts().isEmpty()); - assertEquals(Long.MIN_VALUE, c.getMaxAge()); + assertEquals(Integer.MIN_VALUE, c.getMaxAge()); c = it.next(); assertEquals(1, c.getVersion()); @@ -218,7 +218,7 @@ public void testDecodingClientSideCookies() { assertNull(c.getCommentUrl()); assertNull(c.getDomain()); assertTrue(c.getPorts().isEmpty()); - assertEquals(Long.MIN_VALUE, c.getMaxAge()); + assertEquals(Integer.MIN_VALUE, c.getMaxAge()); assertFalse(it.hasNext()); } @@ -243,7 +243,7 @@ public void testDecodingCommaSeparatedClientSideCookies() { assertNull(c.getCommentUrl()); assertNull(c.getDomain()); assertTrue(c.getPorts().isEmpty()); - assertEquals(Long.MIN_VALUE, c.getMaxAge()); + assertEquals(Integer.MIN_VALUE, c.getMaxAge()); assertTrue(it.hasNext()); c = it.next(); @@ -255,7 +255,7 @@ public void testDecodingCommaSeparatedClientSideCookies() { assertNull(c.getComment()); assertNull(c.getCommentUrl()); assertTrue(c.getPorts().isEmpty()); - assertEquals(Long.MIN_VALUE, c.getMaxAge()); + assertEquals(Integer.MIN_VALUE, c.getMaxAge()); assertFalse(it.hasNext()); }
9 files changed · +31 −31
src/main/java/org/jboss/netty/handler/codec/http/cookie/ClientCookieDecoder.java+6 −6 modified@@ -154,7 +154,7 @@ private static class CookieBuilder { private final DefaultCookie cookie; private String domain; private String path; - private long maxAge = Long.MIN_VALUE; + private int maxAge = Integer.MIN_VALUE; private String expires; private boolean secure; private boolean httpOnly; @@ -163,18 +163,18 @@ public CookieBuilder(DefaultCookie cookie) { this.cookie = cookie; } - private long mergeMaxAgeAndExpire(long maxAge, String expires) { + private int mergeMaxAgeAndExpire(int maxAge, String expires) { // max age has precedence over expires - if (maxAge != Long.MIN_VALUE) { + if (maxAge != Integer.MIN_VALUE) { return maxAge; } else if (expires != null) { Date expiresDate = HttpHeaderDateFormat.get().parse(expires, new ParsePosition(0)); if (expiresDate != null) { long maxAgeMillis = expiresDate.getTime() - System.currentTimeMillis(); - return maxAgeMillis / 1000 + (maxAgeMillis % 1000 != 0 ? 1 : 0); + return (int) (maxAgeMillis / 1000 + (maxAgeMillis % 1000 != 0 ? 1 : 0)); } } - return Long.MIN_VALUE; + return Integer.MIN_VALUE; } public Cookie cookie() { @@ -239,7 +239,7 @@ private void setExpire(String value) { private void setMaxAge(String value) { try { - maxAge = Math.max(Long.valueOf(value), 0L); + maxAge = Math.max(Integer.valueOf(value), 0); } catch (NumberFormatException e1) { // ignore failure to parse -> treat as session cookie }
src/main/java/org/jboss/netty/handler/codec/http/cookie/Cookie.java+4 −4 modified@@ -87,22 +87,22 @@ public interface Cookie extends Comparable<Cookie> { void setPath(String path); /** - * Returns the maximum age of this {@link Cookie} in seconds or {@link Long#MIN_VALUE} if unspecified + * Returns the maximum age of this {@link Cookie} in seconds or {@link Integer#MIN_VALUE} if unspecified * * @return The maximum age of this {@link Cookie} */ - long maxAge(); + int maxAge(); /** * Sets the maximum age of this {@link Cookie} in seconds. * If an age of {@code 0} is specified, this {@link Cookie} will be * automatically removed by browser because it will expire immediately. - * If {@link Long#MIN_VALUE} is specified, this {@link Cookie} will be removed when the + * If {@link Integer#MIN_VALUE} is specified, this {@link Cookie} will be removed when the * browser is closed. * * @param maxAge The maximum age of this {@link Cookie} in seconds */ - void setMaxAge(long maxAge); + void setMaxAge(int maxAge); /** * Checks to see if this {@link Cookie} is secure
src/main/java/org/jboss/netty/handler/codec/http/CookieDecoder.java+2 −2 modified@@ -138,7 +138,7 @@ public Set<Cookie> decode(String header) { String commentURL = null; String domain = null; String path = null; - long maxAge = Long.MIN_VALUE; + int maxAge = Integer.MIN_VALUE; List<Integer> ports = new ArrayList<Integer>(2); for (int j = i + 1; j < names.size(); j++, i++) { @@ -165,7 +165,7 @@ public Set<Cookie> decode(String header) { HttpHeaderDateFormat.get().parse(value).getTime() - System.currentTimeMillis(); - maxAge = maxAgeMillis / 1000 + (maxAgeMillis % 1000 != 0? 1 : 0); + maxAge = (int) (maxAgeMillis / 1000 + (maxAgeMillis % 1000 != 0? 1 : 0)); } catch (ParseException e) { // Ignore. }
src/main/java/org/jboss/netty/handler/codec/http/cookie/DefaultCookie.java+3 −3 modified@@ -25,7 +25,7 @@ public class DefaultCookie implements Cookie { private boolean wrap; private String domain; private String path; - private long maxAge = Long.MIN_VALUE; + private int maxAge = Integer.MIN_VALUE; private boolean secure; private boolean httpOnly; @@ -105,11 +105,11 @@ public void setPath(String path) { this.path = validateValue("path", path); } - public long maxAge() { + public int maxAge() { return maxAge; } - public void setMaxAge(long maxAge) { + public void setMaxAge(int maxAge) { this.maxAge = maxAge; }
src/main/java/org/jboss/netty/handler/codec/http/Cookie.java+6 −6 modified@@ -20,7 +20,7 @@ /** * An interface defining an * <a href="http://en.wikipedia.org/wiki/HTTP_cookie">HTTP cookie</a>. - * @deprecated Use {@link io.netty.handler.codec.http.cookie.Cookie} instead. + * @deprecated Use {@link org.jboss.netty.handler.codec.http.cookie.Cookie} instead. */ @Deprecated public interface Cookie extends org.jboss.netty.handler.codec.http.cookie.Cookie { @@ -79,31 +79,31 @@ public interface Cookie extends org.jboss.netty.handler.codec.http.cookie.Cookie * @deprecated Use {@link #maxAge()} instead. */ @Deprecated - long getMaxAge(); + int getMaxAge(); /** - * Returns the maximum age of this {@link Cookie} in seconds or {@link Long#MIN_VALUE} if unspecified + * Returns the maximum age of this {@link Cookie} in seconds or {@link Integer#MIN_VALUE} if unspecified * * @return The maximum age of this {@link Cookie} * * @deprecated Not part of RFC6265 */ @Deprecated - long maxAge(); + int maxAge(); /** * Sets the maximum age of this {@link Cookie} in seconds. * If an age of {@code 0} is specified, this {@link Cookie} will be * automatically removed by browser because it will expire immediately. - * If {@link Long#MIN_VALUE} is specified, this {@link Cookie} will be removed when the + * If {@link Integer#MIN_VALUE} is specified, this {@link Cookie} will be removed when the * browser is closed. * * @param maxAge The maximum age of this {@link Cookie} in seconds * * @deprecated Not part of RFC6265 */ @Deprecated - void setMaxAge(long maxAge); + void setMaxAge(int maxAge); /** * @deprecated Use {@link #version()} instead.
src/main/java/org/jboss/netty/handler/codec/http/cookie/ServerCookieEncoder.java+1 −1 modified@@ -93,7 +93,7 @@ public String encode(Cookie cookie) { add(buf, name, value); } - if (cookie.maxAge() != Long.MIN_VALUE) { + if (cookie.maxAge() != Integer.MIN_VALUE) { add(buf, CookieHeaderNames.MAX_AGE, cookie.maxAge()); Date expires = new Date(cookie.maxAge() * 1000 + System.currentTimeMillis()); add(buf, CookieHeaderNames.EXPIRES, HttpHeaderDateFormat.get().format(expires));
src/main/java/org/jboss/netty/handler/codec/http/DefaultCookie.java+1 −1 modified@@ -154,7 +154,7 @@ public void setPorts(Iterable<Integer> ports) { } @Deprecated - public long getMaxAge() { + public int getMaxAge() { return maxAge(); }
src/test/java/org/jboss/netty/handler/codec/http/cookie/ClientCookieDecoderTest.java+4 −4 modified@@ -172,11 +172,11 @@ public void testDecodingGoogleAnalyticsCookie() { @Test public void testDecodingLongDates() { Calendar cookieDate = Calendar.getInstance(TimeZone.getTimeZone("UTC")); - cookieDate.set(9999, Calendar.DECEMBER, 31, 23, 59, 59); - long expectedMaxAge = (cookieDate.getTimeInMillis() - System - .currentTimeMillis()) / 1000; + cookieDate.set(2080, Calendar.DECEMBER, 31, 23, 59, 59); + int expectedMaxAge = (int)((cookieDate.getTimeInMillis() - System + .currentTimeMillis()) / 1000); - String source = "Format=EU; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/"; + String source = "Format=EU; expires=Fri, 31-Dec-2080 23:59:59 GMT; path=/"; Cookie cookie = ClientCookieDecoder.STRICT.decode(source);
src/test/java/org/jboss/netty/handler/codec/http/CookieDecoderTest.java+4 −4 modified@@ -212,7 +212,7 @@ public void testDecodingClientSideCookies() { assertNull(c.getCommentUrl()); assertNull(c.getDomain()); assertTrue(c.getPorts().isEmpty()); - assertEquals(Long.MIN_VALUE, c.getMaxAge()); + assertEquals(Integer.MIN_VALUE, c.getMaxAge()); c = it.next(); assertEquals(1, c.getVersion()); @@ -223,7 +223,7 @@ public void testDecodingClientSideCookies() { assertNull(c.getCommentUrl()); assertNull(c.getDomain()); assertTrue(c.getPorts().isEmpty()); - assertEquals(Long.MIN_VALUE, c.getMaxAge()); + assertEquals(Integer.MIN_VALUE, c.getMaxAge()); assertFalse(it.hasNext()); } @@ -248,7 +248,7 @@ public void testDecodingCommaSeparatedClientSideCookies() { assertNull(c.getCommentUrl()); assertNull(c.getDomain()); assertTrue(c.getPorts().isEmpty()); - assertEquals(Long.MIN_VALUE, c.getMaxAge()); + assertEquals(Integer.MIN_VALUE, c.getMaxAge()); assertTrue(it.hasNext()); c = it.next(); @@ -260,7 +260,7 @@ public void testDecodingCommaSeparatedClientSideCookies() { assertNull(c.getComment()); assertNull(c.getCommentUrl()); assertTrue(c.getPorts().isEmpty()); - assertEquals(Long.MIN_VALUE, c.getMaxAge()); + assertEquals(Integer.MIN_VALUE, c.getMaxAge()); assertFalse(it.hasNext()); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
22- lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.htmlnvdThird Party AdvisoryWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.htmlnvdThird Party AdvisoryWEB
- netty.io/news/2015/05/08/3-9-8-Final-and-3.htmlnvdVendor AdvisoryWEB
- www.openwall.com/lists/oss-security/2015/05/17/1nvdMailing ListThird Party AdvisoryWEB
- www.securityfocus.com/bid/74704nvdThird Party AdvisoryVDB EntryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-xfv3-rrfm-f2rvghsaADVISORY
- github.com/netty/netty/pull/3754nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2015-2156ghsaADVISORY
- www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypassnvdThird Party AdvisoryWEB
- github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55ghsaWEB
- github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752ghsaWEB
- github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9ghsaWEB
- lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3EghsaWEB
- lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3EghsaWEB
- snyk.io/vuln/SNYK-JAVA-IONETTY-73571ghsaWEB
- lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3Envd
- lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3Envd
- lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3Envd
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3Envd
News mentions
0No linked articles in our index yet.