Debian LTS: DLA-2110-1: netty-3.9 security update

    Date19 Feb 2020
    692
    Posted ByLinuxSecurity Advisories
    Several vulnerabilities were discovered in Netty, a Java NIO client/server socket framework:
    
    Package        : netty-3.9
    Version        : 3.9.0.Final-1+deb8u1
    CVE ID         : CVE-2014-0193 CVE-2014-3488 CVE-2019-16869 CVE-2019-20444 
                     CVE-2019-20445 CVE-2020-7238
    Debian Bug     : 746639 941266 950966 950967
    
    
    Several vulnerabilities were discovered in Netty, a Java NIO
    client/server socket framework:
    
    CVE-2014-0193
    
        WebSocket08FrameDecoder allows remote attackers to cause a denial
        of service (memory consumption) via a TextWebSocketFrame followed
        by a long stream of ContinuationWebSocketFrames.
    
    CVE-2014-3488
    
        The SslHandler allows remote attackers to cause a denial of
        service (infinite loop and CPU consumption) via a crafted
        SSLv2Hello message.
    
    CVE-2019-16869
    
        Netty mishandles whitespace before the colon in HTTP headers (such
        as a "Transfer-Encoding : chunked" line), which leads to HTTP
        request smuggling.
    
    CVE-2019-20444
    
        HttpObjectDecoder.java allows an HTTP header that lacks a colon,
        which might be interpreted as a separate header with an incorrect
        syntax, or might be interpreted as an "invalid fold."
    
    CVE-2019-20445
    
        HttpObjectDecoder.java allows a Content-Length header to be
        accompanied by a second Content-Length header, or by a
        Transfer-Encoding header.
    
    CVE-2020-7238
    
        Netty allows HTTP Request Smuggling because it mishandles
        Transfer-Encoding whitespace (such as a
        [space]Transfer-Encoding:chunked line) and a later Content-Length
        header.
    
    For Debian 8 "Jessie", these problems have been fixed in version
    3.9.0.Final-1+deb8u1.
    
    We recommend that you upgrade your netty-3.9 packages.
    
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://wiki.debian.org/LTS
    

    LinuxSecurity Poll

    What do you think of the LinuxSecurity Privacy news articles?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/25-what-do-you-think-of-the-linuxsecurity-privacy-news-articles?task=poll.vote&format=json
    25
    radio
    [{"id":"90","title":"Love them!","votes":"48","type":"x","order":"1","pct":88.89,"resources":[]},{"id":"91","title":"I'm indifferent","votes":"4","type":"x","order":"2","pct":7.41,"resources":[]},{"id":"92","title":"Not interested in this topic","votes":"2","type":"x","order":"3","pct":3.7,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.