Your message dated Sun, 01 Jan 2023 22:27:55 +0000 with message-id <e1pc6o7-005iqj...@fasolo.debian.org> and subject line Bug#1001437: fixed in netty 1:4.1.48-6 has caused the Debian Bug report #1001437, regarding netty: CVE-2021-43797: HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1001437: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001437 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: netty Version: 1:4.1.48-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for netty. CVE-2021-43797[0]: | Netty is an asynchronous event-driven network application framework | for rapid development of maintainable high performance protocol | servers & clients. Netty prior to version 4.1.7.1.Final skips | control chars when they are present at the beginning / end of the | header name. It should instead fail fast as these are not allowed by | the spec and could lead to HTTP request smuggling. Failing to do the | validation might cause netty to "sanitize" header names before it | forward these to another remote system when used as proxy. This remote | system can't see the invalid usage anymore, and therefore does not do | the validation itself. Users should upgrade to version 4.1.7.1.Final | to receive a patch. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-43797 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43797 [1] https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq [2] https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: netty Source-Version: 1:4.1.48-6 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of netty, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1001...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated netty package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 01 Jan 2023 19:17:21 +0100 Source: netty Architecture: source Version: 1:4.1.48-6 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1001437 1014769 1027180 Changes: netty (1:4.1.48-6) unstable; urgency=high . * Team upload. * Fix CVE-2021-37136, CVE-2021-37137, CVE-2021-43797, CVE-2022-41881, and CVE-2022-41915. Several out-of-memory, stack overflow or HTTP request smuggling vulnerabilities have been discovered in Netty which may allow attackers to cause a denial of service or bypass restrictions when used as a proxy. (Closes: #1027180, #1014769, #1001437) Checksums-Sha1: 7366cf96228fbac8f97677ef8b2ff55a10c747f4 2590 netty_4.1.48-6.dsc 2d1976bcf2c25536d7b81e5a72b12d29b8b31ef2 33360 netty_4.1.48-6.debian.tar.xz d5b102c79758a12874ffb787f7725e4f19548d8d 15942 netty_4.1.48-6_amd64.buildinfo Checksums-Sha256: 3938733395b97e671f9cb5d7dbb6b85e2b7ce0782cbfe5e79daed4199e269159 2590 netty_4.1.48-6.dsc faccf5c61ff9ea5ae8d287cdbf8c14f8bd1e35e038d40d149a1ac0e1563f7cdc 33360 netty_4.1.48-6.debian.tar.xz e7df6955e48e79d9ac99019054a0a41c88b23fd5cadc24a2e9fa6950ae58b3bd 15942 netty_4.1.48-6_amd64.buildinfo Files: 9a6e6be8152eef96d932afa2211bc175 2590 java optional netty_4.1.48-6.dsc 9255fd5592f0a6da97f149fe0bacc91f 33360 java optional netty_4.1.48-6.debian.tar.xz 2ba41f73284648cc7305e38c6f9eff1d 15942 java optional netty_4.1.48-6_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOyBIpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkKmYQAIZOZHjjoZEZ2MYgltnOjFih/+L+rpLteSuv 3cme2ngGgRwX7uKcceIIb4DATQNV20RsVtS8SQnbSdcy7fvmM921ryUiXSY2s9Bs gFmzsBg22UJtD3wdubMaOjHuQUTPR73dWXiQBYRXWA9sAqtkMIfqTp+Vz3sRtuK2 4rbfyvaNYkcHh9N1Zzf+IRhRqH/W7Fj7XOPgyU7beJjg8o+xSaZJxaBWd6hO7FH0 L4bQbiEMtu6IKz/1FPXBzqYRaXDF+DtpHddDS+ZPVE2awsccfCZfCAqC240CQnvd Sne4X5m6uw/m0/1IX2ndoFTd6CN+QW4mpGf4xMM5URUlKg98WX4Kdr6TqlBPlypd BCy5VxzpG4R5OGkBchVO7TzT13IYEmWAsKCJrnpHV+STLkmUrbh0v3EjrhC6EAuI yxNMF6GOKVzKs6dMFvY84NDCJO8QgoEQG9gh2pSkY4QuALo2HOVraN5ko9KpjBPj CXml2OhCDEHYLZ+2wobrjBbzFUPb7+hyj9eHnwvpL0+2jZy2dQLyeb1RjHPqrMM+ UMdsXlKGWioFJPlZt06wwP7yfLM6mc+E4/3O1lvNe6KSgxiQD5+ACtVRuW48nqL1 civ6okkhWrVxJx2CTRa82vj4/YIwgummOZb7dXrA1HDKm0O2Lw6U8NY1sAAPtL6+ A778h0nW =aVd7 -----END PGP SIGNATURE-----
--- End Message ---
