Bug#986217: netty: CVE-2021-21409
Salvatore Bonaccorso
carnil at debian.org
Wed Mar 31 20:18:11 BST 2021
Source: netty
Version: 1:4.1.48-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for netty.
Strictly speaking this might be disputable as RC severity, but I think
it should be reach bullseye and so make it on the RC severity bugs
radar. It is a followup to the CVE-2021-21295 issue where one case was
missed.
CVE-2021-21409[0]:
| Netty is an open-source, asynchronous event-driven network application
| framework for rapid development of maintainable high performance
| protocol servers & clients. In Netty (io.netty:netty-codec-http2)
| before version 4.1.61.Final there is a vulnerability that enables
| request smuggling. The content-length header is not correctly
| validated if the request only uses a single Http2HeaderFrame with the
| endStream set to to true. This could lead to request smuggling if the
| request is proxied to a remote peer and translated to HTTP/1.1. This
| is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to
| fix this one case. This was fixed as part of 4.1.61.Final.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21409
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21409
[1] https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
[2] https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list