[ https://issues.apache.org/jira/browse/KUDU-3313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexey Serbin updated KUDU-3313: -------------------------------- Priority: Minor (was: Major) > There is a CVE-2021-21409 vulnerability in netty version 4.1.60 > --------------------------------------------------------------- > > Key: KUDU-3313 > URL: https://issues.apache.org/jira/browse/KUDU-3313 > Project: Kudu > Issue Type: Bug > Reporter: yejiabao_h > Priority: Minor > > In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a > vulnerability that enables request smuggling. The content-length header is > not correctly validated if the request only uses a single Http2HeaderFrame > with the endStream set to to true. This could lead to request smuggling if > the request is proxied to a remote peer and translated to HTTP/1.1. This is a > followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one > case. This was fixed as part of 4.1.61.Final. -- This message was sent by Atlassian Jira (v8.3.4#803005)