Package "libnetty-3.9-java"
| Name: |
libnetty-3.9-java
|
Description: |
Java NIO client/server socket framework
|
| Latest version: |
3.9.0.Final-1ubuntu0.1 |
| Release: |
xenial (16.04) |
| Level: |
security |
| Repository: |
universe |
| Head package: |
netty-3.9 |
| Homepage: |
http://www.netty.io/ |
Links
Download "libnetty-3.9-java"
Other versions of "libnetty-3.9-java" in Xenial
Changelog
|
netty-3.9 (3.9.0.Final-1ubuntu0.1) xenial-security; urgency=medium
* Update debian/rules to fix FTBFS
* SECURITY UPDATE: HTTP request smuggling
- debian/patches/0004-CVE-2019-16869.patch: Correctly handle whitespaces in
HTTP header names as defined by RFC7230#section-3.2.4.
- debian/patches/0005-CVE-2019-20444.patch: Detect missing colon when
parsing http headers with no value.
- debian/patches/0006-CVE-2019-20445-1.patch: Verify we do not receive
multiple content-length headers or a content-length and
transfer-encoding: chunked header when using HTTP/1.1.
- debian/patches/0007-CVE-2019-20445-2.patch: Remove "Content-Length" when
decoding HTTP/1.1 message with both "Transfer-Encoding: chunked" and
"Content-Length".
- CVE-2019-16869
- CVE-2019-20444
- CVE-2019-20445
- CVE-2020-7238
-- Paulo Flabiano Smorigo <email address hidden> Wed, 21 Oct 2020 18:18:23 +0000
|
| CVE-2019-16869 |
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP |
| CVE-2019-20444 |
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incor |
| CVE-2019-20445 |
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-En |
| CVE-2020-7238 |
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) |
|
About
-
Send Feedback to @ubuntu_updates
