Your message dated Mon, 16 Jan 2023 19:02:37 +0000 with message-id <e1phukf-00gr7d...@fasolo.debian.org> and subject line Bug#1001437: fixed in netty 1:4.1.48-4+deb11u1 has caused the Debian Bug report #1001437, regarding netty: CVE-2021-43797: HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1001437: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001437 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: netty Version: 1:4.1.48-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for netty. CVE-2021-43797[0]: | Netty is an asynchronous event-driven network application framework | for rapid development of maintainable high performance protocol | servers & clients. Netty prior to version 4.1.7.1.Final skips | control chars when they are present at the beginning / end of the | header name. It should instead fail fast as these are not allowed by | the spec and could lead to HTTP request smuggling. Failing to do the | validation might cause netty to "sanitize" header names before it | forward these to another remote system when used as proxy. This remote | system can't see the invalid usage anymore, and therefore does not do | the validation itself. Users should upgrade to version 4.1.7.1.Final | to receive a patch. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-43797 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43797 [1] https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq [2] https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: netty Source-Version: 1:4.1.48-4+deb11u1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of netty, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1001...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated netty package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 11 Jan 2023 21:00:08 CET Source: netty Architecture: source Version: 1:4.1.48-4+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Checksums-Sha1: 00616bfdebb1cd348d75a16f0a63ab82d4e784e4 2622 netty_4.1.48-4+deb11u1.dsc 022ad0c0c76dd4ba14b1e44d11cf0b99f0feeb2b 1665244 netty_4.1.48.orig.tar.xz ede1620eea8c78a7d240fa3882b99e55597efd61 33004 netty_4.1.48-4+deb11u1.debian.tar.xz cb9ef460ab8870f322e3bce707a1924250c23b86 14818 netty_4.1.48-4+deb11u1_amd64.buildinfo Checksums-Sha256: ddfca8c380aa2425ad7fc481a1615c74d486bd32d20154546635c5777bb423a8 2622 netty_4.1.48-4+deb11u1.dsc e5351d821f461f64af58e89f260ad8943b0ab75f26c1a845300a91f22a711600 1665244 netty_4.1.48.orig.tar.xz ec72fd97859516bf7508aa93d7704c5729d9a927c95c983a8e7f0e15220ed228 33004 netty_4.1.48-4+deb11u1.debian.tar.xz 2b5cb8d00143ab0a2946f2cb6ae5d7cb6fad3b424507d742079c03be71e75f28 14818 netty_4.1.48-4+deb11u1_amd64.buildinfo Closes: 1001437 1014769 1027180 Changes: netty (1:4.1.48-4+deb11u1) bullseye-security; urgency=high . * Team upload. * Fix CVE-2021-37136, CVE-2021-37137, CVE-2021-43797, CVE-2022-41881, and CVE-2022-41915. Several out-of-memory, stack overflow or HTTP request smuggling vulnerabilities have been discovered in Netty which may allow attackers to cause a denial of service or bypass restrictions when used as a proxy. (Closes: #1027180, #1014769, #1001437) Files: 61b21ae0b382ebc85d4b8a8e773972cc 2622 java optional netty_4.1.48-4+deb11u1.dsc ebc25581b3e2b6e1bb47200ba260a636 1665244 java optional netty_4.1.48.orig.tar.xz 4cfe6ef845de3b737f62a77fda3bb625 33004 java optional netty_4.1.48-4+deb11u1.debian.tar.xz 68ee933cf784189c4b5d18fecbd62268 14818 java optional netty_4.1.48-4+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmO/FUtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkNiQP/1H2TX19XlWtUkSMeOhVPJ35dRf2s4HADn3a O/UnYsql2m88cyqAb7vjZKdRG1K/aP2zFH6P3erv9IScUc4YjWQNwV7z6tJX4Ruo r5AFoVDfDhWxkdJK296/k7/iskLnevK/PPykR3U8iYP4CGC5VXWSpe3NMQ13Utjv eLoLx6JRf5UzRg2FyB7Eezn88GL/Tnt6OmuNnF6s+37HfszWoNJqCORgQ4bBlPNK TvNCj+RIMxBgnmKpbk2Dl9PEXI7O3RT4LjubNbf4YVrT9cO6DU+wflntfAeLNKLu Q2CXt9YJgk5EBO0FMGph0bHrnibYVufo/4aBLm7j2oQaVWgSmMbiq7Mu3luXuVZO 0XOldF9FCQQsyI1XD3yyGBNLGSDGSeN/hmnAAf5lafjL2U7Gkt1fcSC8GJ1+nJBX 6p+zqGwoQIg4mUn9D1bKx/YfFv20zlsyHP1foCr2AivPDlnMRgWyTUACO5N5ER6y guJA8bEq7es+4m1nHVB5fu6BsgLggHC5TcxY6Tq/IN6YoXfc08J1zXPO0mJp9bGB +iEJs/gymorNR77e/lBH8aHHiJSHQzZT034VREL5qbtPeGdAD2VTeuJSZ0KdfGeo VwTR4YqGhoH2pE+QOENApm5G5HEoJsHlcFwigqhk5WzK4z+zA3RZSqp/g786sIGy D4N8qlTg =3XdI -----END PGP SIGNATURE-----
--- End Message ---
