UbuntuUpdates.org

Package "libnetty-java"

Name: libnetty-java

Description:

Java NIO client/server socket framework

Latest version: 1:4.1.7-4ubuntu0.1
Release: bionic (18.04)
Level: updates
Repository: universe
Head package: netty
Homepage: http://netty.io/

Links


Download "libnetty-java"


Other versions of "libnetty-java" in Bionic

Repository Area Version
base universe 1:4.1.7-4
security universe 1:4.1.7-4ubuntu0.1

Changelog

Version: 1:4.1.7-4ubuntu0.1 2021-02-18 23:07:01 UTC

  netty (1:4.1.7-4ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: HTTP request smuggling
      HTTP header names as defined by RFC7230#section-3.2.4.
    - debian/patches/0005-CVE-2019-20444.patch: Detect missing colon when
      parsing http headers with no value.
    - debian/patches/0006-CVE-2019-20445-1.patch: Verify we do not receive
      multiple content-length headers or a content-length and
      transfer-encoding: chunked header when using HTTP/1.1.
    - debian/patches/0007-CVE-2019-20445-2.patch: Remove "Content-Length" when
      decoding HTTP/1.1 message with both "Transfer-Encoding: chunked" and
      "Content-Length".
    - debian/patches/18-CVE-2019-20445-3.patch: Added tests for
      Transfer-Encoding header with whitespace.
    - CVE-2019-20444
    - CVE-2019-20445
  * SECURITY UPDATE: Memory buffer out of bounds
    - debian/patches/19-CVE-2020-11612.patch: Allow a limit to be set on the
      decompressed buffer size for ZlibDecoders.
    - CVE-2020-11612

 -- Paulo Flabiano Smorigo <email address hidden> Mon, 26 Oct 2020 13:24:33 +0000

CVE-2019-20444 HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incor
CVE-2019-20445 HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-En
CVE-2020-11612 The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send



About   -   Send Feedback to @ubuntu_updates