netty: CVE-2021-21409

Debian Bug report logs - #986217
netty: CVE-2021-21409

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: netty: CVE-2021-21409

Date: Wed, 31 Mar 2021 21:18:11 +0200

Source: netty
Version: 1:4.1.48-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for netty.

Strictly speaking this might be disputable as RC severity, but I think
it should be reach bullseye and so make it on the RC severity bugs
radar. It is a followup to the CVE-2021-21295 issue where one case was
missed.

CVE-2021-21409[0]:
| Netty is an open-source, asynchronous event-driven network application
| framework for rapid development of maintainable high performance
| protocol servers &amp; clients. In Netty (io.netty:netty-codec-http2)
| before version 4.1.61.Final there is a vulnerability that enables
| request smuggling. The content-length header is not correctly
| validated if the request only uses a single Http2HeaderFrame with the
| endStream set to to true. This could lead to request smuggling if the
| request is proxied to a remote peer and translated to HTTP/1.1. This
| is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to
| fix this one case. This was fixed as part of 4.1.61.Final.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-21409
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21409
[1] https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
[2] https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 986217-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 986217-close@bugs.debian.org

Subject: Bug#986217: fixed in netty 1:4.1.48-4

Date: Thu, 01 Apr 2021 06:03:24 +0000

Source: netty
Source-Version: 1:4.1.48-4
Done: tony mancill <tmancill@debian.org>

We believe that the bug you reported is fixed in the latest version of
netty, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 986217@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated netty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 31 Mar 2021 22:01:52 -0700
Source: netty
Architecture: source
Version: 1:4.1.48-4
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Closes: 986217
Changes:
 netty (1:4.1.48-4) unstable; urgency=high
 .
   * Team upload.
   * Fix CVE-2021-21409 (Closes: #986217)
     Address a vulnerability that enables request smuggling. The content-length
     header is not correctly validated if the request only uses a single
     Http2HeaderFrame with the endStream set to true. This could lead to request
     smuggling if the request is proxied to a remote peer and translated to
     HTTP/1.1.  This is a followup to CVE-2021-21295 to address this case.
Checksums-Sha1:
 aa383b5a6a230030c16e1576cec8cd629a434f7b 2468 netty_4.1.48-4.dsc
 32db8bb32ca68edb866a8bf06c3bca763b44cd3b 24196 netty_4.1.48-4.debian.tar.xz
 5daa534e35606b68366c04ac2daf57ceb6dda9d3 14197 netty_4.1.48-4_amd64.buildinfo
Checksums-Sha256:
 d4a9ff93064e5c80936ea85b4ccc96cdc7873612505cbfc199ad7d1c8c7c48ed 2468 netty_4.1.48-4.dsc
 b0e09c1c1c3ad3d81d695facf6a26bac37f1ce43cd84dc41a07b93776bd5ae2e 24196 netty_4.1.48-4.debian.tar.xz
 49c78b6a7536d5e006482c3c6e2ae2a8b01164e6cd7cc60d87a2d2f62c81c364 14197 netty_4.1.48-4_amd64.buildinfo
Files:
 070ad62dcccc1be6401079737faeb8e2 2468 java optional netty_4.1.48-4.dsc
 d1419390535f79c5c6e9a0ba8b7bf08f 24196 java optional netty_4.1.48-4.debian.tar.xz
 98d02a23b70f441b5cdfda6f09cc2ed7 14197 java optional netty_4.1.48-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmBlXbQUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpaNKhAAjH1M4AIni78/kARrKpXluJdnuxFE
+9/kmvNFhGDJiCrO2+3c+289Fh9MTkjkPfEeLOW6bTvfXRjgVnpf13fjH6yIN8e6
TEHHNMlrAkeFqNPyiFzP7TlxUe5a7epgY3ZhC8Pn0+5T09c1fAvt7q+DLJ8K2mub
Qz1MKejinAKPkDtWSmHwyJKT5pBFx825xde9mcUuprpNBdV8UVKXclfMjfJpJtLK
6oKlZjwtAC7cY/E8XDiB93xSd0Q6Z0UfCvIwl1kNGW6M4n8uueiUWYSDgw/oT9Yj
yXLrJhkg2SyZhUqXb5mRQgVN9EBp8K7TUOJ88KcZbi33GyCFsd+E71ISQVDGthV0
EJ2Pt/W3X19blc/uyStAI5mKZ4y/hxUNFU6GQ17h8YtEGDeGmFaZUx3j2ctaxbQD
bUVVJM9MD6Yo9pbvxqJLbniRg39XP/hrQyiqw1nX94FAMFhAn5tu6D3Qo+b8GjxA
Lib/X+QdfiXR+tgxD/o8azPcwB5y568kjf8FAGBPYD2K/v84dq2k7r8pIw1dzYkC
9wSjDEjP8bvULeCDDDMfl35suPxMbccy+CcktveMk1GZxFq1xqWNaTVVCM2FH0sb
kU5bjBt4d+9J8L3G+W5TwoLm8vJYoHEOJL5EIelZAwusf909I6QwiFyb6rcbbiwA
qD00Y5hNAbrfAHQ=
=mPKl
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.