Source: netty Version: 1:4.1.33-3 Severity: grave Tags: security upstream Forwarded: https://github.com/netty/netty/issues/9861
Hi, The following vulnerabilities were published for netty. CVE-2019-20445[0]: | HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length | header to be accompanied by a second Content-Length header, or by a | Transfer-Encoding header. CVE-2020-7238[1]: | Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles | Transfer-Encoding whitespace (such as a [space]Transfer- | Encoding:chunked line) and a later Content-Length header. This issue | exists because of an incomplete fix for CVE-2019-16869. Both appears to be fixed with the same fix upstream, as per [2]. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-20445 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445 [1] https://security-tracker.debian.org/tracker/CVE-2020-7238 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7238 [2] https://github.com/netty/netty/issues/9861 Please adjust the affected versions in the BTS as needed. Regards, Salvatore