Source: netty Version: 1:4.1.48-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for netty. Strictly speaking this might be disputable as RC severity, but I think it should be reach bullseye and so make it on the RC severity bugs radar. It is a followup to the CVE-2021-21295 issue where one case was missed. CVE-2021-21409[0]: | Netty is an open-source, asynchronous event-driven network application | framework for rapid development of maintainable high performance | protocol servers & clients. In Netty (io.netty:netty-codec-http2) | before version 4.1.61.Final there is a vulnerability that enables | request smuggling. The content-length header is not correctly | validated if the request only uses a single Http2HeaderFrame with the | endStream set to to true. This could lead to request smuggling if the | request is proxied to a remote peer and translated to HTTP/1.1. This | is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to | fix this one case. This was fixed as part of 4.1.61.Final. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-21409 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21409 [1] https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32 [2] https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
