Your message dated Wed, 08 Jan 2020 21:47:37 +0000
with message-id <[email protected]>
and subject line Bug#941266: fixed in netty 1:4.1.7-2+deb9u1
has caused the Debian Bug report #941266,
regarding netty: CVE-2019-16869
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
941266: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941266
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: netty
Version: 1:4.1.33-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/netty/netty/issues/9571
Hi,
The following vulnerability was published for netty.
CVE-2019-16869[0]:
| Netty before 4.1.42.Final mishandles whitespace before the colon in
| HTTP headers (such as a "Transfer-Encoding : chunked" line), which
| leads to HTTP request smuggling.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16869
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869
[1] https://github.com/netty/netty/issues/9571
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: netty
Source-Version: 1:4.1.7-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
netty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated netty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Jan 2020 23:46:59 +0100
Source: netty
Architecture: source
Version: 1:4.1.7-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 941266
Changes:
netty (1:4.1.7-2+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Correctly handle whitespaces in HTTP header names as defined by
RFC7230#section-3.2.4 (CVE-2019-16869) (Closes: #941266)
Checksums-Sha1:
a8683ab5dcba62dcd7f472c921e7ba8c6ce1691e 2709 netty_4.1.7-2+deb9u1.dsc
504243f34ec66a82c068b22977dd712ac90b1d19 1358608 netty_4.1.7.orig.tar.xz
c0f9acbdafbdd95e1fa422e6f30acf4b52e45a1e 10572
netty_4.1.7-2+deb9u1.debian.tar.xz
Checksums-Sha256:
f29164833368fbf29bcb52a24922e8f3a3dd175ae68d4532835db6a0b19573f6 2709
netty_4.1.7-2+deb9u1.dsc
a4cb7f759dc00bfdbe0d1c3578f35361b3c0a48176e564ee621fae64e90ce4a3 1358608
netty_4.1.7.orig.tar.xz
e9a9569c51ab39b3e07bfa30801282b2ccdf8479f2e8b1837ffdd8ed6a7728ef 10572
netty_4.1.7-2+deb9u1.debian.tar.xz
Files:
1ed6844fb896c3a30afd9b7fad2a008f 2709 java optional netty_4.1.7-2+deb9u1.dsc
fb52f7379836392680cbaf3e3a83247a 1358608 java optional netty_4.1.7.orig.tar.xz
430c35f329e7f26c6f6c06d96166dc79 10572 java optional
netty_4.1.7-2+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl4OdTNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EybkP/3/RvgFF4YSqf2UHvYg78GX6mcrRGsLw
lWD6/1KQUxTCjCbKSp4bChlRDV4jvtAASvwHnQT4SEcOHfCL8yxCSnCMhtHMFTNh
sE+nHpZGDRxpSui8mkrzc4kiek71TYvEwH9LzqBetxhk7S+zljQ2Tvf9Z4G2r4NK
iTBtghiIKzW10hSVwzFX8gw4gEeYD6PbAd7vPtUTP2nmq7CoQQDmhHO0XeW7X2pX
s96Mev+wiNNy3WeWEyQeeesORWxPK8vrJezvlPnWU6YRog8T8GK4GIcP5ucjXPdD
qLjeXaR+GTbl98lENCq+tzpUDufP4XU6ZANri6FKDrkAW+Wj5auss0YP5OJjHXJK
QRDeXIBgjU7lBqM3+BcjeULmWDCJ/s+lFrzJt9ofNg3aDxe3ZAp3EmSZb/GCZrBt
kl33giCR6VlH5FrQmSNC8CPdoghEFZk32CreI+7i6LvFt4G0hgepLcg0uQqWz2mi
X6Gg8QQhxsZmpSUv81fPK9P6aF5mXn1ttej5+I+YrHg+ZqH3jIYWqO8HhmU2dlKP
Iw4qODekd7EPgis/zhE2VNcj+Sfliowqv4ItJWnl/k2gjyjnGuuv/qzSgKrNlRtg
sIvgbHEfT0kUc1hkJgaaTxrXcglgaqt9C1sug+sLJlHBcVhPrg5fLoQBOCt9wskc
cHGRCXzx/8nV
=nYnr
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
