[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 2109-1] netty security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : netty
Version        : 1:3.2.6.Final-2+deb8u2
CVE ID         : CVE-2019-20444 CVE-2019-20445 CVE-2020-7238
Debian Bug     : 950966 950967


Several vulnerabilities were discovered in the HTTP server provided by
Netty, a Java NIO client/server socket framework:

CVE-2019-20444

    HttpObjectDecoder.java allows an HTTP header that lacks a colon,
    which might be interpreted as a separate header with an incorrect
    syntax, or might be interpreted as an "invalid fold."

CVE-2019-20445

    HttpObjectDecoder.java allows a Content-Length header to be
    accompanied by a second Content-Length header, or by a
    Transfer-Encoding header.

CVE-2020-7238

    Netty allows HTTP Request Smuggling because it mishandles
    Transfer-Encoding whitespace (such as a
    [space]Transfer-Encoding:chunked line) and a later Content-Length
    header.

For Debian 8 "Jessie", these problems have been fixed in version
1:3.2.6.Final-2+deb8u2.

We recommend that you upgrade your netty packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl5Ndr0ACgkQj/HLbo2J
BZ+G8Af/bQphXzJyZWo2VTNQU5+XNC+wxVMPRX39/YwicPX6QNKu3KiwkA9rU6Od
xLrpE7I5sNzxFxRP50slrWbamYqTksxD3Oo4vcpCf/zXNk/sd8rWHAvew5so2Wvu
Dpd5sU0wH599QfUG3oEH4ws4T6YZ7msjRzZJI3zMci8K1YA/ynzyGECCOArSwobX
oWhpqzPxr+5gskeC+qqxLn7+15ae0+dweOpbVMqObfsHhzlCCqPJR07ymFOO827b
HeZCbMIZYhV3ClPgmN0nSXlfRM/LbIBVFsabI5qJBpV4mJORvNZAA14vwCSl6ZZa
B0TiXbWB5kk4bawFauA5NOFJWQCyOw==
=2p+e
-----END PGP SIGNATURE-----


Reply to: