-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1144
                           netty security update
                               6 April 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           netty
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Access Confidential Data       -- Remote/Unauthenticated
                   Reduced Security               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-21409 CVE-2021-21295 CVE-2021-21290
                   CVE-2020-11612 CVE-2020-7238 CVE-2019-20445
                   CVE-2019-20444  

Reference:         ESB-2021.1108
                   ESB-2020.4464
                   ESB-2020.3697
                   ESB-2020.3243

Original Bulletin: 
   https://lists.debian.org/debian-security-announce/2021/msg00066.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4885-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 05, 2021                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : netty
CVE ID         : CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 CVE-2020-11612 
                 CVE-2021-21290 CVE-2021-21295 CVE-2021-21409

Multiple security issues were discovered in Netty, a Java NIO
client/server framework, which could result in HTTP request smuggling,
denial of service or information disclosure.

For the stable distribution (buster), these problems have been fixed in
version 1:4.1.33-1+deb10u2.

We recommend that you upgrade your netty packages.

For the detailed security status of netty please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/netty

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmBrXn0ACgkQEMKTtsN8
TjYiIQ/+M3dHpXdXRxZlx12OSJNsJoZa52/7uKhM9Vg0HhdCYnq7RjXTI2zZmUu7
VbL/F1ixPFgHWZpFIwHPTxZ4qk5+qQKYj7JyU1g+NyL9MkVsAW7ccYj3gbp3Kgk6
bE2GEwfh0qSKDgolflLCudGsqF1J54T65kO5oQ+Gtbx/8+NJ0YrVrHsmG1O4IMHQ
6oK/znY6CmQtUSY1p8DCNTWp63hZYpGzg9Umv/y9TaYm3QeG1BNz3tQz8uaGZQWq
LihkaTSpJoo7ezNUFYinaRECylpEf7MHgK+uYkJ0MZrZ+2wyMC6V0BATVwF2Aj7X
VMrRBJTSf20z5u/k0m+y9k8cR8CcR3sWVo/7mpRJAIsvnyMQwKBmxjHSlVfzOqYK
91NB7OSi/ZDKOOsdQ5oW337FPQolCXl2DOe2UW9Z1K9XFs11VplsFxMkrzZtiwba
dXhq6odVZwQfzjiWGj0yFftfJSAAs9B0I1L1EqW2QR7sN25YA1OosYsc5iYvUXD7
mhjU1RtqsXK3jI9TjGmXos+6Yj36iPncNwXBL4AKKPapV5qm6mHQkXTowW1NM5vu
8NokTjKtuixgb08CAQHNe202TpQ9kGHNTe2FDKRNFQrlTaoxt2DlmHbDiLn6i1Ue
k4HImGqrUw9venxQ/vPZjTW6UaTbz0D9BPQcb9ApBOAgydEjJqE=
=6i6I
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYGvYiuNLKJtyKPYoAQgofg//dCETbtlf3uxrq4aZoBIbnJNH2lk66pnC
n04Ew35iIXRYehS9c4GAueIhctfCN43ggNhoZtMU3liAKOfNuK+kE6vtc//BXMMM
/fJf3IR/deMTJ80bpPqDhq77EsV9dBlDtffHIpIjVM3dbcqD+aovFHcbhp/aEFf8
AIs6LZAGlg+ToWfOs81bE7NtXNRMvpKmdfDNW5/XqoO/oGy97oJ3bdhpkALOXzhb
0jI8VRZklE9cDkmxhfs7/T8RpQskv2teGnRSRjoysdniL5xRPmxvcUTB36MIqQm/
7nq4Dwi0Kl32ooNMvqpVDq1pBKNINW5u90r+2D8FseOWvYKel7PSgxNoqBF0PmR+
NxwxGrIU4+EhESp6KHGB8EZszCaU0m4j92+5DlHUhsAFDMQ6p5TSUpyCch5zZPFm
hre1HGxpNrPoR1mEZVcris9brW9idLLYlQUHg2cWDVrAELGWH2zGCxDWwXXqnFAt
qkgvENU/i4m+DK3tmXagCYJrwxlL3pwedZuflCJZ6/C1ZKQuinxiUxo6n8rXFDwz
01zjRUNFTeNV8X7HYTENF8oGiWFRXLWTF1qjlZoXlLgU59KUMf2Yjbo+KBReF+fL
VUc+xhCLis6mp+fVAfbaQDpvK/TeOjN0yc+CRXs2eQkI/u7Nx0jjEk5exRUqzVlo
h43Txw87zxc=
=QC26
-----END PGP SIGNATURE-----