-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0583
                         netty-3.9 security update
                             20 February 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           netty-3.9
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Access Confidential Data       -- Remote/Unauthenticated
                   Reduced Security               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-7238 CVE-2019-20445 CVE-2019-20444
                   CVE-2019-16869 CVE-2014-3488 CVE-2014-0193

Reference:         ESB-2020.0504
                   ESB-2020.0450
                   ESB-2020.0216
                   ESB-2018.1282

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : netty-3.9
Version        : 3.9.0.Final-1+deb8u1
CVE ID         : CVE-2014-0193 CVE-2014-3488 CVE-2019-16869 CVE-2019-20444 
                 CVE-2019-20445 CVE-2020-7238
Debian Bug     : 746639 941266 950966 950967


Several vulnerabilities were discovered in Netty, a Java NIO
client/server socket framework:

CVE-2014-0193

    WebSocket08FrameDecoder allows remote attackers to cause a denial
    of service (memory consumption) via a TextWebSocketFrame followed
    by a long stream of ContinuationWebSocketFrames.

CVE-2014-3488

    The SslHandler allows remote attackers to cause a denial of
    service (infinite loop and CPU consumption) via a crafted
    SSLv2Hello message.

CVE-2019-16869

    Netty mishandles whitespace before the colon in HTTP headers (such
    as a "Transfer-Encoding : chunked" line), which leads to HTTP
    request smuggling.

CVE-2019-20444

    HttpObjectDecoder.java allows an HTTP header that lacks a colon,
    which might be interpreted as a separate header with an incorrect
    syntax, or might be interpreted as an "invalid fold."

CVE-2019-20445

    HttpObjectDecoder.java allows a Content-Length header to be
    accompanied by a second Content-Length header, or by a
    Transfer-Encoding header.

CVE-2020-7238

    Netty allows HTTP Request Smuggling because it mishandles
    Transfer-Encoding whitespace (such as a
    [space]Transfer-Encoding:chunked line) and a later Content-Length
    header.

For Debian 8 "Jessie", these problems have been fixed in version
3.9.0.Final-1+deb8u1.

We recommend that you upgrade your netty-3.9 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl5NduMACgkQj/HLbo2J
BZ+lrAf/RjA+ba6RKsrVfHxurb0cfhFzjH9JX+EA8/flVepKThwaSz407czio/pT
eTt2otV5cMwnNfiYOovVFF+jCRaINCmhKwG71saU1PKo3GASf+rJOpgZ2uJyDb00
sE6+mCyVdCVeAesq6LOLIzhZSyexB9RnkzRPHDhXidM2s9XReV9F94CfIiLQ4ioF
POJ0MYkO1JQHcw25y0os0o3z1vC0SpOWBiS4KrJR4QibJX4XSJ2MUz6JG7JGdgdS
VoMitMckO90sHKh6Wa0nBk1rYeURNnigwvN3KSnyQLR0Lex8S8IAye8yphq7+CG7
ilj5pRlR/T32ZAXvHnqe/v5QOjZu8w==
=CRBR
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXk3dGWaOgq3Tt24GAQisEQ//aDK8Z4eYXBhAGw3YQtjIIm73C0GYbEJJ
xfRrlP1+3HvEfu/cRzoQY9Oamu5httPc5gqFSMaX0i9C7Tz//ryOgAMcYBDvoPVP
Fuz0mN2ErU3qd8fO08yR/FfW7JEoYHkknAOjy/c9nDMbGKsvO7TkRHDcjXna0jnP
Ipfv5LGvc8dSPOozi35jWT6BNncYap1c8HyULolUrGsmK/nkAkJYV+m0s5jbgSxl
lbqbW9vx4GW9sy1vpItuZg+vtUTgOXJVK/BGVFvif1agUSjP0nf/tVmejhwHtNtK
GRxeH9YkMO0kU4X3CKFVj9wMuf6l5xAc1C74SjMUNrVE87s+424sM0GutwEmQO3o
w9nmvjnOO7Jl0YtAqD8HK98UlId+f0QaBejqNd3PRO8FZas5fwjlA0t+GbQy0c3j
ANHJd7zdfJPL33QsfI+iBbktuCsKjAjpN3Kw29YH5UhBc+pKQtWB+KcMGblCoPjh
DyTnSXAaTFnN0KTNxClNDSI9Q1Uot1JVHg8Y8vmmtPHa5BRa69tEkFbQpuQjdEt+
YBM5idhGkartxMLqeT3SnkL5sNi3oORclUTOOgdUxfIdoUU6Eslobq+8jKsI2q+P
Rgy71zbiR5K/bJRh0L9AbuvEipUr7RPfKy08RjTXK4t2wRapygWi0+0Njo0NFkUv
9XHKrgwh+5U=
=BNda
-----END PGP SIGNATURE-----