Debian
netty package

netty 1:4.1.33-1+deb10u2 source package in Debian

Changelog

netty (1:4.1.33-1+deb10u2) buster-security; urgency=high

  * Team upload.
  * Fix the following security vulnerabilites:
    - CVE-2019-20444:
      HttpObjectDecoder.java allows an HTTP header that lacks a colon, which
      might be interpreted as a separate header with an incorrect syntax, or
      might be interpreted as an "invalid fold."
    - CVE-2019-20445:
      HttpObjectDecoder.java allows a Content-Length header to be accompanied
      by a second Content-Length header, or by a Transfer-Encoding header.
    - CVE-2020-7238:
      Netty allows HTTP Request Smuggling because it mishandles
      Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked
      line) and a later Content-Length header.
    - CVE-2020-11612:
      The ZlibDecoders allow for unbounded memory allocation while decoding a
      ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte
      stream to the Netty server, forcing the server to allocate all of its
      free memory to a single decoder.
    - CVE-2021-21290:
      In Netty there is a vulnerability on Unix-like systems involving an
      insecure temp file. When netty's multipart decoders are used local
      information disclosure can occur via the local system temporary directory
      if temporary storing uploads on the disk is enabled. On unix-like
      systems, the temporary directory is shared between all user. As such,
      writing to this directory using APIs that do not explicitly set the
      file/directory permissions can lead to information disclosure.
    - CVE-2021-21295:
      In Netty there is a vulnerability that enables request smuggling. If a
      Content-Length header is present in the original HTTP/2 request, the
      field is not validated by `Http2MultiplexHandler` as it is propagated up.
      This is fine as long as the request is not proxied through as HTTP/1.1.
      If the request comes in as an HTTP/2 stream, gets converted into the
      HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via
      `Http2StreamFrameToHttpObjectCodec `and then sent up to the child
      channel's pipeline and proxied through a remote peer as HTTP/1.1 this may
      result in request smuggling.
    - CVE-2021-21409:
      In Netty there is a vulnerability that enables request smuggling. The
      content-length header is not correctly validated if the request only uses
      a single Http2HeaderFrame with the endStream set to to true. This could
      lead to request smuggling if the request is proxied to a remote peer and
      translated to HTTP/1.1.

 -- Markus Koschany <email address hidden>  Thu, 01 Apr 2021 23:20:46 +0200

Upload details

Uploaded by:
Debian Java Maintainers
Uploaded to:
Buster
Original maintainer:
Debian Java Maintainers
Architectures:
all
Section:
java
Urgency:
Very Urgent

See full publishing history Publishing

Series Pocket Published Component Section
Buster release main java

Builds

Downloads

File Size SHA-256 Checksum
netty_4.1.33-1+deb10u2.dsc 2.6 KiB 3286a5c945aef9f5a2a3f366d0b8668ec892df275dcdb55d44392b646a5493f6
netty_4.1.33.orig.tar.xz 1.5 MiB 92477569c8a670a07448a70e163e9a45443e9d56b27d32d184987ade78e404b9
netty_4.1.33-1+deb10u2.debian.tar.xz 25.7 KiB b61e365af976a31b4dd23d0c4dc38499f417f113e3e7bcf2e2aa4c535b997ce1

No changes file available.

Binary packages built by this source