Your message dated Thu, 01 Apr 2021 06:03:24 +0000
with message-id <[email protected]>
and subject line Bug#986217: fixed in netty 1:4.1.48-4
has caused the Debian Bug report #986217,
regarding netty: CVE-2021-21409
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
986217: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986217
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: netty
Version: 1:4.1.48-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for netty.
Strictly speaking this might be disputable as RC severity, but I think
it should be reach bullseye and so make it on the RC severity bugs
radar. It is a followup to the CVE-2021-21295 issue where one case was
missed.
CVE-2021-21409[0]:
| Netty is an open-source, asynchronous event-driven network application
| framework for rapid development of maintainable high performance
| protocol servers & clients. In Netty (io.netty:netty-codec-http2)
| before version 4.1.61.Final there is a vulnerability that enables
| request smuggling. The content-length header is not correctly
| validated if the request only uses a single Http2HeaderFrame with the
| endStream set to to true. This could lead to request smuggling if the
| request is proxied to a remote peer and translated to HTTP/1.1. This
| is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to
| fix this one case. This was fixed as part of 4.1.61.Final.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21409
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21409
[1] https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
[2]
https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: netty
Source-Version: 1:4.1.48-4
Done: tony mancill <[email protected]>
We believe that the bug you reported is fixed in the latest version of
netty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <[email protected]> (supplier of updated netty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 31 Mar 2021 22:01:52 -0700
Source: netty
Architecture: source
Version: 1:4.1.48-4
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: tony mancill <[email protected]>
Closes: 986217
Changes:
netty (1:4.1.48-4) unstable; urgency=high
.
* Team upload.
* Fix CVE-2021-21409 (Closes: #986217)
Address a vulnerability that enables request smuggling. The content-length
header is not correctly validated if the request only uses a single
Http2HeaderFrame with the endStream set to true. This could lead to request
smuggling if the request is proxied to a remote peer and translated to
HTTP/1.1. This is a followup to CVE-2021-21295 to address this case.
Checksums-Sha1:
aa383b5a6a230030c16e1576cec8cd629a434f7b 2468 netty_4.1.48-4.dsc
32db8bb32ca68edb866a8bf06c3bca763b44cd3b 24196 netty_4.1.48-4.debian.tar.xz
5daa534e35606b68366c04ac2daf57ceb6dda9d3 14197 netty_4.1.48-4_amd64.buildinfo
Checksums-Sha256:
d4a9ff93064e5c80936ea85b4ccc96cdc7873612505cbfc199ad7d1c8c7c48ed 2468
netty_4.1.48-4.dsc
b0e09c1c1c3ad3d81d695facf6a26bac37f1ce43cd84dc41a07b93776bd5ae2e 24196
netty_4.1.48-4.debian.tar.xz
49c78b6a7536d5e006482c3c6e2ae2a8b01164e6cd7cc60d87a2d2f62c81c364 14197
netty_4.1.48-4_amd64.buildinfo
Files:
070ad62dcccc1be6401079737faeb8e2 2468 java optional netty_4.1.48-4.dsc
d1419390535f79c5c6e9a0ba8b7bf08f 24196 java optional
netty_4.1.48-4.debian.tar.xz
98d02a23b70f441b5cdfda6f09cc2ed7 14197 java optional
netty_4.1.48-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmBlXbQUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpaNKhAAjH1M4AIni78/kARrKpXluJdnuxFE
+9/kmvNFhGDJiCrO2+3c+289Fh9MTkjkPfEeLOW6bTvfXRjgVnpf13fjH6yIN8e6
TEHHNMlrAkeFqNPyiFzP7TlxUe5a7epgY3ZhC8Pn0+5T09c1fAvt7q+DLJ8K2mub
Qz1MKejinAKPkDtWSmHwyJKT5pBFx825xde9mcUuprpNBdV8UVKXclfMjfJpJtLK
6oKlZjwtAC7cY/E8XDiB93xSd0Q6Z0UfCvIwl1kNGW6M4n8uueiUWYSDgw/oT9Yj
yXLrJhkg2SyZhUqXb5mRQgVN9EBp8K7TUOJ88KcZbi33GyCFsd+E71ISQVDGthV0
EJ2Pt/W3X19blc/uyStAI5mKZ4y/hxUNFU6GQ17h8YtEGDeGmFaZUx3j2ctaxbQD
bUVVJM9MD6Yo9pbvxqJLbniRg39XP/hrQyiqw1nX94FAMFhAn5tu6D3Qo+b8GjxA
Lib/X+QdfiXR+tgxD/o8azPcwB5y568kjf8FAGBPYD2K/v84dq2k7r8pIw1dzYkC
9wSjDEjP8bvULeCDDDMfl35suPxMbccy+CcktveMk1GZxFq1xqWNaTVVCM2FH0sb
kU5bjBt4d+9J8L3G+W5TwoLm8vJYoHEOJL5EIelZAwusf909I6QwiFyb6rcbbiwA
qD00Y5hNAbrfAHQ=
=mPKl
-----END PGP SIGNATURE-----
--- End Message ---
