Publishing details
Changelog
netty (1:4.1.33-1+deb10u2) buster-security; urgency=high
* Team upload.
* Fix the following security vulnerabilites:
- CVE-2019-20444:
HttpObjectDecoder.java allows an HTTP header that lacks a colon, which
might be interpreted as a separate header with an incorrect syntax, or
might be interpreted as an "invalid fold."
- CVE-2019-20445:
HttpObjectDecoder.java allows a Content-Length header to be accompanied
by a second Content-Length header, or by a Transfer-Encoding header.
- CVE-2020-7238:
Netty allows HTTP Request Smuggling because it mishandles
Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked
line) and a later Content-Length header.
- CVE-2020-11612:
The ZlibDecoders allow for unbounded memory allocation while decoding a
ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte
stream to the Netty server, forcing the server to allocate all of its
free memory to a single decoder.
- CVE-2021-21290:
In Netty there is a vulnerability on Unix-like systems involving an
insecure temp file. When netty's multipart decoders are used local
information disclosure can occur via the local system temporary directory
if temporary storing uploads on the disk is enabled. On unix-like
systems, the temporary directory is shared between all user. As such,
writing to this directory using APIs that do not explicitly set the
file/directory permissions can lead to information disclosure.
- CVE-2021-21295:
In Netty there is a vulnerability that enables request smuggling. If a
Content-Length header is present in the original HTTP/2 request, the
field is not validated by `Http2MultiplexHandler` as it is propagated up.
This is fine as long as the request is not proxied through as HTTP/1.1.
If the request comes in as an HTTP/2 stream, gets converted into the
HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via
`Http2StreamFrameToHttpObjectCodec `and then sent up to the child
channel's pipeline and proxied through a remote peer as HTTP/1.1 this may
result in request smuggling.
- CVE-2021-21409:
In Netty there is a vulnerability that enables request smuggling. The
content-length header is not correctly validated if the request only uses
a single Http2HeaderFrame with the endStream set to to true. This could
lead to request smuggling if the request is proxied to a remote peer and
translated to HTTP/1.1.
-- Markus Koschany <email address hidden> Thu, 01 Apr 2021 23:20:46 +0200
Builds
Package files