Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0582
netty security update
20 February 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: netty
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-7238 CVE-2019-20445 CVE-2019-20444
Reference: ESB-2020.0504
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : netty
Version : 1:3.2.6.Final-2+deb8u2
CVE ID : CVE-2019-20444 CVE-2019-20445 CVE-2020-7238
Debian Bug : 950966 950967
Several vulnerabilities were discovered in the HTTP server provided by
Netty, a Java NIO client/server socket framework:
CVE-2019-20444
HttpObjectDecoder.java allows an HTTP header that lacks a colon,
which might be interpreted as a separate header with an incorrect
syntax, or might be interpreted as an "invalid fold."
CVE-2019-20445
HttpObjectDecoder.java allows a Content-Length header to be
accompanied by a second Content-Length header, or by a
Transfer-Encoding header.
CVE-2020-7238
Netty allows HTTP Request Smuggling because it mishandles
Transfer-Encoding whitespace (such as a
[space]Transfer-Encoding:chunked line) and a later Content-Length
header.
For Debian 8 "Jessie", these problems have been fixed in version
1:3.2.6.Final-2+deb8u2.
We recommend that you upgrade your netty packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl5Ndr0ACgkQj/HLbo2J
BZ+G8Af/bQphXzJyZWo2VTNQU5+XNC+wxVMPRX39/YwicPX6QNKu3KiwkA9rU6Od
xLrpE7I5sNzxFxRP50slrWbamYqTksxD3Oo4vcpCf/zXNk/sd8rWHAvew5so2Wvu
Dpd5sU0wH599QfUG3oEH4ws4T6YZ7msjRzZJI3zMci8K1YA/ynzyGECCOArSwobX
oWhpqzPxr+5gskeC+qqxLn7+15ae0+dweOpbVMqObfsHhzlCCqPJR07ymFOO827b
HeZCbMIZYhV3ClPgmN0nSXlfRM/LbIBVFsabI5qJBpV4mJORvNZAA14vwCSl6ZZa
B0TiXbWB5kk4bawFauA5NOFJWQCyOw==
=2p+e
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXk3dAWaOgq3Tt24GAQgQ4A/+PhkYspoUmurTzONshzvIP/6OfziOPG4k
rG0Ymo2lnU7O7WWnGBVS71f3YObns0V0irJPd0jUwlKaegLE7Kd+Sn1J2RSLNERS
PPIRIakziIKclYOziuVmUInC4W5RHbrzmhlfcqAzDkJ0KezXqms7ZvN4kiMKF0u8
r1+3ZwzxcbNF/USMQDacRfnXIfkurvitaUqxdxCoik04dWUgi+CRsCHG9qGZwkhk
BNS1sg4/+/+/keyOOziQYZCRn7PolyS5IeLNkMXiD6/SKO9HgA/xkDmjtG7yGFqb
AG4/82zhNel6Dub2Mb51IMsBgnYWmVpCK163To6nAzE6Zi3ndcILIDMz1aAXrBkm
H0XM+R+keOhhti4x/B6y7bePgnTbDT36xp3XtHTERD+1ABD3uOEzE44WNpkSXo6+
YW7KTXklaX8vvOLLYWXUylXKjyG0+tAL6B9Ro3u/bMf1FdOndlDgNY1uTe1MpUMo
fIYOIUBwy2CYKn8Le4NbUOzjqbb2Tksij2Q/BlnGGQ03KeAF/9rSIXVKwrSQt1ak
6uLPu1h/Fms+qt0THj1o9NmpCvzSsoss4kN6UPYNvUJDhKOwyHaQpqWE9F5NpoHp
dzJTMt+9BzW5qt9GGRbT0CAiCIHULNT06GZrQYszmO4SBtYPxRGE+GrHAn1IeB89
lt3c3xxcVMo=
=XDd9
-----END PGP SIGNATURE-----