Your message dated Mon, 06 Jan 2020 22:32:09 +0000
with message-id <[email protected]>
and subject line Bug#941266: fixed in netty 1:4.1.33-1+deb10u1
has caused the Debian Bug report #941266,
regarding netty: CVE-2019-16869
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
941266: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941266
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: netty
Version: 1:4.1.33-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/netty/netty/issues/9571
Hi,
The following vulnerability was published for netty.
CVE-2019-16869[0]:
| Netty before 4.1.42.Final mishandles whitespace before the colon in
| HTTP headers (such as a "Transfer-Encoding : chunked" line), which
| leads to HTTP request smuggling.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16869
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869
[1] https://github.com/netty/netty/issues/9571
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: netty
Source-Version: 1:4.1.33-1+deb10u1
We believe that the bug you reported is fixed in the latest version of
netty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated netty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Jan 2020 23:19:52 +0100
Source: netty
Architecture: source
Version: 1:4.1.33-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 941266
Changes:
netty (1:4.1.33-1+deb10u1) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Correctly handle whitespaces in HTTP header names as defined by
RFC7230#section-3.2.4 (CVE-2019-16869) (Closes: #941266)
Checksums-Sha1:
3293ca5fc70188c263f0dc7e1f1ee794064ae841 2621 netty_4.1.33-1+deb10u1.dsc
a9f640f8cac929d5017a6277f0272a21ae77d333 1549696 netty_4.1.33.orig.tar.xz
86f7fa20513becdd9feabca470c6f4bbefa827b4 13148
netty_4.1.33-1+deb10u1.debian.tar.xz
Checksums-Sha256:
92d70ba73c046faa944ee3c88d834a9c99b5355217c94c153d935dac6b7130fa 2621
netty_4.1.33-1+deb10u1.dsc
92477569c8a670a07448a70e163e9a45443e9d56b27d32d184987ade78e404b9 1549696
netty_4.1.33.orig.tar.xz
0022ee1ccaf720875283cf7f35f75eef2e46acb7d9894fccd841099f3d2e445f 13148
netty_4.1.33-1+deb10u1.debian.tar.xz
Files:
1c24fc970bc74fef3e9a097e66602f56 2621 java optional netty_4.1.33-1+deb10u1.dsc
f31b01fd221d159d03cc671988b2a53d 1549696 java optional netty_4.1.33.orig.tar.xz
41a860e5782617c2e630ed875e3e71df 13148 java optional
netty_4.1.33-1+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl4Ob4pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EnqkP/39J4dEaIZJvQStZXhZXqXs8JG8+Koze
jsEOGkjZUk5/5vmijWI7nCedUfk/oJNnKKIobMKMkQUHq+PaY+AivF5ggRF/Up0l
84f5KlTSe7bl4pPODUcKy4LhVwZAUGrnb1MK8mK5+s331A+f6JjYZ30LObpyLxQl
buxdWPmMde2+M1vOFvUCLxkStIWU4Ejxo+pb4bT1/42zOwdfHNl7Pynh6Y3k1rXn
lNHQF1TCU0hC3mrrR/N2uDMFpdSBtH2JLg+gxz4dh6W7fDvuvHfRdO+lANF5mm2j
XL3ouaAy0kDhxc64R7GlHhvo2gl/am5kKzxBEBp4Yu2FiXH5/ogPhr+3IB3XRJm1
KM81oQQl3GWP1BHML7zlN6DP6LB1UJwAo3s60wKfzZp8RG7Oj3DOtBUFsEUmXPHp
nK/yf5qC7LQmwF58XQWFVXE/W4Wzu1dWFDEdF8Cc+4aUFEBAOmykm9J2d3ifkXvt
W8iX0ILc3nabYY9ni1rZ5KqWTFzrWkKuTPQzPGYzlM2ADh4zilCINiU/3aMHPaaS
rKddV6pvIx+QznJtzWQpHF1YHx2AeL031L8prFXfrK0erecT0buZLGe03bmi6RGB
oyDSBRvuZCbmO1Q2YUv0b2qt1LjdqV5W933HoRr4hmkFCXpM4TBiFBWv7oduljmd
pYSkpcLj9NCM
=xfHX
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
