[Git][java-team/netty][buster] 3 commits: Fix CVE-2021-21409

Markus Koschany gitlab at salsa.debian.org
Thu Apr 1 22:56:58 BST 2021



Markus Koschany pushed to branch buster at Debian Java Maintainers / netty


Commits:
58f8a6a2 by Markus Koschany at 2021-04-01T23:18:30+02:00
Fix CVE-2021-21409

- - - - -
e3e31373 by Markus Koschany at 2021-04-01T23:20:52+02:00
Update changelog

- - - - -
c9d651da by Markus Koschany at 2021-04-01T23:46:36+02:00
Update CVE-2021-21409.patch

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2021-21409.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -36,8 +36,14 @@ netty (1:4.1.33-1+deb10u2) buster-security; urgency=high
       `Http2StreamFrameToHttpObjectCodec `and then sent up to the child
       channel's pipeline and proxied through a remote peer as HTTP/1.1 this may
       result in request smuggling.
-
- -- Markus Koschany <apo at debian.org>  Sun, 28 Mar 2021 18:46:25 +0200
+    - CVE-2021-21409:
+      In Netty there is a vulnerability that enables request smuggling. The
+      content-length header is not correctly validated if the request only uses
+      a single Http2HeaderFrame with the endStream set to to true. This could
+      lead to request smuggling if the request is proxied to a remote peer and
+      translated to HTTP/1.1.
+
+ -- Markus Koschany <apo at debian.org>  Thu, 01 Apr 2021 23:20:46 +0200
 
 netty (1:4.1.33-1+deb10u1) buster-security; urgency=high
 


=====================================
debian/patches/CVE-2021-21409.patch
=====================================
@@ -0,0 +1,37 @@
+From: Markus Koschany <apo at debian.org>
+Date: Thu, 1 Apr 2021 19:16:59 +0200
+Subject: CVE-2021-21409
+
+Bug-Debian: https://bugs.debian.org/986217
+Origin: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
+---
+ .../io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java  | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java
+index ada4feb..92fd1bd 100644
+--- a/codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java
++++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java
+@@ -296,10 +296,13 @@ public class DefaultHttp2ConnectionDecoder implements Http2ConnectionDecoder {
+                 short weight, boolean exclusive, int padding, boolean endOfStream) throws Http2Exception {
+             Http2Stream stream = connection.stream(streamId);
+             boolean allowHalfClosedRemote = false;
++            boolean isTrailers = false;
+             if (stream == null && !connection.streamMayHaveExisted(streamId)) {
+                 stream = connection.remote().createStream(streamId, endOfStream);
+                 // Allow the state to be HALF_CLOSE_REMOTE if we're creating it in that state.
+                 allowHalfClosedRemote = stream.state() == HALF_CLOSED_REMOTE;
++            } else if (stream != null) {
++                isTrailers = stream.isHeadersReceived();
+             }
+ 
+             if (shouldIgnoreHeadersOrDataFrame(ctx, streamId, stream, "HEADERS")) {
+@@ -337,7 +340,7 @@ public class DefaultHttp2ConnectionDecoder implements Http2ConnectionDecoder {
+                             stream.state());
+             }
+ 
+-            if (!stream.isHeadersReceived()) {
++            if (!isTrailers) {
+                 // extract the content-length header
+                 List<? extends CharSequence> contentLength = headers.getAll(HttpHeaderNames.CONTENT_LENGTH);
+                 if (contentLength != null && !contentLength.isEmpty()) {


=====================================
debian/patches/series
=====================================
@@ -17,3 +17,4 @@ CVE-2019-20445_3.patch
 CVE-2020-11612.patch
 CVE-2021-21290.patch
 CVE-2021-21295.patch
+CVE-2021-21409.patch



View it on GitLab: https://salsa.debian.org/java-team/netty/-/compare/b2c7e07bec5202fedecd15c4a5c7ea160bb1210f...c9d651daeca3303cb9d659b41b18e8b6411ee77b

-- 
View it on GitLab: https://salsa.debian.org/java-team/netty/-/compare/b2c7e07bec5202fedecd15c4a5c7ea160bb1210f...c9d651daeca3303cb9d659b41b18e8b6411ee77b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210401/fbf3b0d5/attachment.htm>


More information about the pkg-java-commits mailing list