Operating System:

[Debian]

Published:

07 September 2020

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2020.3049 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3049
                           netty security update
                             7 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           netty
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Access Confidential Data       -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Unauthorised Access            -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11612 CVE-2020-7238 CVE-2019-20445
                   CVE-2019-20444 CVE-2019-16869 

Reference:         ESB-2020.0583
                   ESB-2020.0582
                   ESB-2020.0045
                   ESB-2019.3675

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2364-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                  Roberto C. S=E1nchez
September 04, 2020                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : netty
Version        : 1:4.1.7-2+deb9u2
CVE ID         : CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 CVE-2020-11612
Debian Bug     : 950966 950967

Several vulnerabilities have been discovered in netty, a Java NIO
client/server socket framework.

CVE-2019-20444

    HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header
    that lacks a colon, which might be interpreted as a separate header
    with an incorrect syntax, or might be interpreted as an "invalid
    fold."

CVE-2019-20445

    HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length
    header to be accompanied by a second Content-Length header, or by a
    Transfer-Encoding header.

CVE-2020-7238

    Netty 4.1.43.Final allows HTTP Request Smuggling because it
    mishandles Transfer-Encoding whitespace (such as a
    [space]Transfer-Encoding:chunked line) and a later Content-Length
    header. This issue exists because of an incomplete fix for
    CVE-2019-16869.

CVE-2020-11612

    The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded
    memory allocation while decoding a ZlibEncoded byte stream. An
    attacker could send a large ZlibEncoded byte stream to the Netty
    server, forcing the server to allocate all of its free memory to a
    single decoder.

For Debian 9 stretch, these problems have been fixed in version
1:4.1.7-2+deb9u2.

We recommend that you upgrade your netty packages.

For the detailed security status of netty please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/netty

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl9SifoACgkQLNd4Xt2n
sg+eIw/8DGVb2iLvjG+nGZSZS8x0gsH9pI/F2URhujbkqXKcw7bVoHNlIStMdfxq
nn5v035OBUMtVXhRQMkMsayT9u+yLuUjqUP0ZfYaKSjeeUUP9lMxsrT9jFzSkZek
ixHZk71k5/h8BJjOKIvZVdXfeR1pcFli6ls6XGd22kP5VW5CvDTNtGG8i6eb/pfo
8UfcjUYMtMfwtXKYZtRI/aHtgeSQL8zOq9zZL8zrEIpEViGNffQ+t+uMD1MnwYCX
o/nPnwL6CgSsZK6Gbr8dGGojuCLdKfoHOP/+7M6Gon+/GPxs7amexnUZULeQQKV2
VyMlDgU3U8RihdH//2l68H3MVT/OlVS50kKbsMm5C/xmkIsCa2cUoXrzMkLSfsWa
Yx3JulTofbtfZ8BjOQQcfaTzWtVadzJyOjhA0qiMQ42YuCYGMnQhhjCAWmyBtR66
380GXkFSceZY7o1IX5s36ByGf6qp0Kj2bGTvj4RXA3QEnrqdkD9e9FAoZUiT4IGE
nrU8zUbuQGnyIHZ225qfzWeEB8CAPJc7BC+7fR5/N2ZnzKzxoWijt75hNH1vMsU8
FAJ+1iFLLswiEc7I8BAL9XWIhZPIREtZDUiWPltU/4V7z56g+gMncFlV6VvSuYBr
xYXbGpOPpUcD4PTfpp6/ff+sqIN78KVPdXkaeLdGnRwmsJRv9/4=
=xGY2
- -----END PGP SIGNATURE-----


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX1WXduNLKJtyKPYoAQhsgA//ceWPI1r3JKiocu21C3LmToLDGBu4PaQ0
kF36kd2+fDktIwyf0t7ibnd2+aBrDwNFXPY7zYDmWIYRS2O93xGMjkd+Z6Nw7kVK
7sW+N/wxZh2sT4F+bSRdMA7RKVYePQUvQyVZkVNsaTHDMvezPbrJQ+rz6dHzP4E6
0EjYsV6QOLt1l2K8aUCEDT44pE3gpfUj4fNVHNk+KoyxMtAHUzprF9Bgw6hATq0x
YlaWs2lEwV1RvXxl1iTJAs18UqZ9RmBMtnd+OIWRY1l/AyYX3XwxP88JPA/bX07h
ihI/wb0y1iKCyPSOjtEAPrKuiXdOFHQrx68wsg3qZjFXsN9ggKOKYcI7XtIzMF64
ddx3K9QDjszp0GZCJ9OT8u+AroxeaXOnhpC2lzIG44tVgJIhMfv6pTkHOpDt9/x1
DXnnIoeAonvUdAGKe0iOQFbcCb0OoFlkyEfxTxCQ4Gy3l1Rr1xkLotVmRWte6YMy
GvbECCtMbEmh1UoD0/8ShZlRlQ5FJgEmNzvJyC7syXNKSOHKGUTrxXC7d6hmhXhb
or61mId4/JRUBVpfEu8aYD5CAdV7DwVnwEyfuvt/5/c0855dCeXc1Ti1wTwKlqUB
VN2rznqPrltB8IvrqdpltEn8RW8QlOND2/19WvWzoj/q2YSeJJDbNz5rmLzq+qdn
usSdShJtss0=
=RAIj
-----END PGP SIGNATURE-----