Bug#950967: netty: CVE-2019-20445 CVE-2020-7238
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 8 20:31:44 GMT 2020
Source: netty
Version: 1:4.1.33-3
Severity: grave
Tags: security upstream
Forwarded: https://github.com/netty/netty/issues/9861
Hi,
The following vulnerabilities were published for netty.
CVE-2019-20445[0]:
| HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length
| header to be accompanied by a second Content-Length header, or by a
| Transfer-Encoding header.
CVE-2020-7238[1]:
| Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles
| Transfer-Encoding whitespace (such as a [space]Transfer-
| Encoding:chunked line) and a later Content-Length header. This issue
| exists because of an incomplete fix for CVE-2019-16869.
Both appears to be fixed with the same fix upstream, as per [2].
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-20445
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445
[1] https://security-tracker.debian.org/tracker/CVE-2020-7238
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7238
[2] https://github.com/netty/netty/issues/9861
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list