Your message dated Mon, 24 Feb 2020 16:36:10 +0000
with message-id <[email protected]>
and subject line Bug#950966: fixed in netty 1:4.1.45-1
has caused the Debian Bug report #950966,
regarding netty: CVE-2019-20444
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
950966: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950966
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: netty
Version: 1:4.1.33-3
Severity: grave
Tags: security upstream
Forwarded: https://github.com/netty/netty/issues/9866
Hi,
The following vulnerability was published for netty.
CVE-2019-20444[0]:
| HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header
| that lacks a colon, which might be interpreted as a separate header
| with an incorrect syntax, or might be interpreted as an "invalid
| fold."
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-20444
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
[1] https://github.com/netty/netty/issues/9866
[2]
https://github.com/netty/netty/commit/a7c18d44b46e02dadfe3da225a06e5091f5f328e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: netty
Source-Version: 1:4.1.45-1
Done: Emmanuel Bourg <[email protected]>
We believe that the bug you reported is fixed in the latest version of
netty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <[email protected]> (supplier of updated netty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 24 Feb 2020 17:10:37 +0100
Source: netty
Architecture: source
Version: 1:4.1.45-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Emmanuel Bourg <[email protected]>
Closes: 950966 950967
Changes:
netty (1:4.1.45-1) unstable; urgency=medium
.
* Team upload.
* New upstream release
- Fixes CVE-2019-20444, CVE-2019-20445 and CVE-2020-7238
(Closes: #950966, #950967)
- Refreshed the patches
- Updated the Maven rules
- Depend on libnetty-tcnative-java (>= 2.0.28)
- Disabled the native image support due to missing dependencies
- Disabled the BlockHound integration
* Standards-Version updated to 4.5.0
Checksums-Sha1:
c9a8b5821a1200f5efb944ae5be1fa45c1e5b17e 2464 netty_4.1.45-1.dsc
41b68b4a6070a1dc56d0d7e116f08ec2e4be0ca3 1653104 netty_4.1.45.orig.tar.xz
ab699101ffc596f53d6663a4442489c82a775a85 14632 netty_4.1.45-1.debian.tar.xz
0cb7aaa68058d7e582e06f4637e468b692f49d44 14126 netty_4.1.45-1_source.buildinfo
Checksums-Sha256:
e97c4293fee763bbef84afb172c590cf2e96139743ffcc36eb59eb3496e7e0e9 2464
netty_4.1.45-1.dsc
5727926d042670c1ac7c19588bd2ca8bd87d3894336b93192d93a53363604a84 1653104
netty_4.1.45.orig.tar.xz
ea555a3d91eae86e00de7af00c0ce0eb8686c0c5a397cdabc4c8595f7f922430 14632
netty_4.1.45-1.debian.tar.xz
4ee5a73e055009bd39e34f0beeff24ffaf93e3d84aedf453940cd2ed3399978e 14126
netty_4.1.45-1_source.buildinfo
Files:
eeebf196519105b02d596e17fbdc1db1 2464 java optional netty_4.1.45-1.dsc
96ba6b5ae4a042255fbdff11d865759c 1653104 java optional netty_4.1.45.orig.tar.xz
29a5219df99af60ed0cf986c4731d2b7 14632 java optional
netty_4.1.45-1.debian.tar.xz
001f4ff697f9a852aacf2114a536c9f6 14126 java optional
netty_4.1.45-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAl5T93QSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsri4P/3zerX0Pqa8b3eJ3AGUA/2D/kc9gS7bA
lpnUPmtGjRU7aq3i7UJgw2qsdzRdRY+elmld1qseWl0PRAEmzYEEr1Bt1+G3mma+
Nk8ptCq1fZuz2TOc7u+L0pKJZQ6WawvL1dP0ohc9v8BNk8ED/E1To1LfwfxT8sXQ
5PgKnvqZkDmO1xuSrYIGVQaLcdeDNkhj5OUjXMj+MiTDdGQGhTNWJuqk4WSaZWl3
m9Cu4+64VbFA+jJr9HDfJuQbyBSKQkATmgJPQQxIB0jYqqhRmEQq+Nxw9QynZDJR
JW2iTujmxKKsbCbJWKiFPjBv82Suao1vqo16FBUfoOMGxMpNkNCFaziTMRJFkZIT
fvySAzsnlVu2XSfozK2832WMWaUSxMKsb7uGLnFfX4Xqur3NHbgrGBPanKVLXPK+
XkdlxODPLhWVhJQPlJ+lOvhYqGptJevlEUUuKl+QRoLFAEGuUDmt0pu0bmCR0YYG
dcWvycvxDFmGzxFO8j1h3HP2q7OfVsUsQ+GPVO30gjtG+Fu53O7Hs+TR5GrLQOJ5
FjrVGMDYo638SRVSXYrk0j+JNeA/bGecRZvzU2hM7e1mSzCXOlBGJbRzKBJx/iwJ
0tVPJshrwnL0tmXToDG8iR6VpmL4/G2ptpHiULMfbEK9nK37pV+row/jKSjv/Tix
B0gIDrcO23de
=sabD
-----END PGP SIGNATURE-----
--- End Message ---
