Bug#941266: netty: CVE-2019-16869
tony mancill
tmancill at debian.org
Fri Jan 3 04:36:03 GMT 2020
On Thu, Jan 02, 2020 at 11:38:08PM +0100, Salvatore Bonaccorso wrote:
> On Fri, Sep 27, 2019 at 01:12:04PM +0200, Salvatore Bonaccorso wrote:
> > Source: netty
> > Version: 1:4.1.33-1
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://github.com/netty/netty/issues/9571
> >
> > Hi,
> >
> > The following vulnerability was published for netty.
> >
> > CVE-2019-16869[0]:
> > | Netty before 4.1.42.Final mishandles whitespace before the colon in
> > | HTTP headers (such as a "Transfer-Encoding : chunked" line), which
> > | leads to HTTP request smuggling.
>
> Attached is the proposed debdiff. I included the tests as well
> (altough those are not run).
Hi Salvatore,
The debdiff looks good to me; thank you for adapting the patch for the
current version in 4.1.33. No need for an NMU. I will apply your patch
and perform a team upload to unstable with only this change to make it
easier for backports/security uploads.
Thanks,
tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20200102/34a502fb/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list