[Git][java-team/netty][buster] 3 commits: Fix CVE-2021-21409
Markus Koschany
gitlab at salsa.debian.org
Thu Apr 1 22:56:58 BST 2021
Markus Koschany pushed to branch buster at Debian Java Maintainers / netty
Commits:
58f8a6a2 by Markus Koschany at 2021-04-01T23:18:30+02:00
Fix CVE-2021-21409
- - - - -
e3e31373 by Markus Koschany at 2021-04-01T23:20:52+02:00
Update changelog
- - - - -
c9d651da by Markus Koschany at 2021-04-01T23:46:36+02:00
Update CVE-2021-21409.patch
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/CVE-2021-21409.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -36,8 +36,14 @@ netty (1:4.1.33-1+deb10u2) buster-security; urgency=high
`Http2StreamFrameToHttpObjectCodec `and then sent up to the child
channel's pipeline and proxied through a remote peer as HTTP/1.1 this may
result in request smuggling.
-
- -- Markus Koschany <apo at debian.org> Sun, 28 Mar 2021 18:46:25 +0200
+ - CVE-2021-21409:
+ In Netty there is a vulnerability that enables request smuggling. The
+ content-length header is not correctly validated if the request only uses
+ a single Http2HeaderFrame with the endStream set to to true. This could
+ lead to request smuggling if the request is proxied to a remote peer and
+ translated to HTTP/1.1.
+
+ -- Markus Koschany <apo at debian.org> Thu, 01 Apr 2021 23:20:46 +0200
netty (1:4.1.33-1+deb10u1) buster-security; urgency=high
=====================================
debian/patches/CVE-2021-21409.patch
=====================================
@@ -0,0 +1,37 @@
+From: Markus Koschany <apo at debian.org>
+Date: Thu, 1 Apr 2021 19:16:59 +0200
+Subject: CVE-2021-21409
+
+Bug-Debian: https://bugs.debian.org/986217
+Origin: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
+---
+ .../io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java b/codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java
+index ada4feb..92fd1bd 100644
+--- a/codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java
++++ b/codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java
+@@ -296,10 +296,13 @@ public class DefaultHttp2ConnectionDecoder implements Http2ConnectionDecoder {
+ short weight, boolean exclusive, int padding, boolean endOfStream) throws Http2Exception {
+ Http2Stream stream = connection.stream(streamId);
+ boolean allowHalfClosedRemote = false;
++ boolean isTrailers = false;
+ if (stream == null && !connection.streamMayHaveExisted(streamId)) {
+ stream = connection.remote().createStream(streamId, endOfStream);
+ // Allow the state to be HALF_CLOSE_REMOTE if we're creating it in that state.
+ allowHalfClosedRemote = stream.state() == HALF_CLOSED_REMOTE;
++ } else if (stream != null) {
++ isTrailers = stream.isHeadersReceived();
+ }
+
+ if (shouldIgnoreHeadersOrDataFrame(ctx, streamId, stream, "HEADERS")) {
+@@ -337,7 +340,7 @@ public class DefaultHttp2ConnectionDecoder implements Http2ConnectionDecoder {
+ stream.state());
+ }
+
+- if (!stream.isHeadersReceived()) {
++ if (!isTrailers) {
+ // extract the content-length header
+ List<? extends CharSequence> contentLength = headers.getAll(HttpHeaderNames.CONTENT_LENGTH);
+ if (contentLength != null && !contentLength.isEmpty()) {
=====================================
debian/patches/series
=====================================
@@ -17,3 +17,4 @@ CVE-2019-20445_3.patch
CVE-2020-11612.patch
CVE-2021-21290.patch
CVE-2021-21295.patch
+CVE-2021-21409.patch
View it on GitLab: https://salsa.debian.org/java-team/netty/-/compare/b2c7e07bec5202fedecd15c4a5c7ea160bb1210f...c9d651daeca3303cb9d659b41b18e8b6411ee77b
--
View it on GitLab: https://salsa.debian.org/java-team/netty/-/compare/b2c7e07bec5202fedecd15c4a5c7ea160bb1210f...c9d651daeca3303cb9d659b41b18e8b6411ee77b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210401/fbf3b0d5/attachment.htm>
More information about the pkg-java-commits
mailing list