Package "libnetty-java"
Name: |
libnetty-java
|
Description: |
Java NIO client/server socket framework
|
Latest version: |
1:4.1.7-4ubuntu0.1 |
Release: |
bionic (18.04) |
Level: |
updates |
Repository: |
universe |
Head package: |
netty |
Homepage: |
http://netty.io/ |
Links
Download "libnetty-java"
Other versions of "libnetty-java" in Bionic
Changelog
netty (1:4.1.7-4ubuntu0.1) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP request smuggling
HTTP header names as defined by RFC7230#section-3.2.4.
- debian/patches/0005-CVE-2019-20444.patch: Detect missing colon when
parsing http headers with no value.
- debian/patches/0006-CVE-2019-20445-1.patch: Verify we do not receive
multiple content-length headers or a content-length and
transfer-encoding: chunked header when using HTTP/1.1.
- debian/patches/0007-CVE-2019-20445-2.patch: Remove "Content-Length" when
decoding HTTP/1.1 message with both "Transfer-Encoding: chunked" and
"Content-Length".
- debian/patches/18-CVE-2019-20445-3.patch: Added tests for
Transfer-Encoding header with whitespace.
- CVE-2019-20444
- CVE-2019-20445
* SECURITY UPDATE: Memory buffer out of bounds
- debian/patches/19-CVE-2020-11612.patch: Allow a limit to be set on the
decompressed buffer size for ZlibDecoders.
- CVE-2020-11612
-- Paulo Flabiano Smorigo <email address hidden> Mon, 26 Oct 2020 13:24:33 +0000
|
CVE-2019-20444 |
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incor |
CVE-2019-20445 |
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-En |
CVE-2020-11612 |
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send |
|
About
-
Send Feedback to @ubuntu_updates