Your message dated Fri, 26 Mar 2021 22:48:34 +0000
with message-id <[email protected]>
and subject line Bug#984948: fixed in netty 1:4.1.48-3
has caused the Debian Bug report #984948,
regarding netty: CVE-2021-21295
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
984948: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984948
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: netty
Version: 1:4.1.48-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for netty.
CVE-2021-21295[0]:
| Netty is an open-source, asynchronous event-driven network application
| framework for rapid development of maintainable high performance
| protocol servers & clients. In Netty (io.netty:netty-codec-http2)
| before version 4.1.60.Final there is a vulnerability that enables
| request smuggling. If a Content-Length header is present in the
| original HTTP/2 request, the field is not validated by
| `Http2MultiplexHandler` as it is propagated up. This is fine as long
| as the request is not proxied through as HTTP/1.1. If the request
| comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain
| objects (`HttpRequest`, `HttpContent`, etc.) via
| `Http2StreamFrameToHttpObjectCodec `and then sent up to the child
| channel's pipeline and proxied through a remote peer as HTTP/1.1 this
| may result in request smuggling. In a proxy case, users may assume the
| content-length is validated somehow, which is not the case. If the
| request is forwarded to a backend channel that is a HTTP/1.1
| connection, the Content-Length now has meaning and needs to be
| checked. An attacker can smuggle requests inside the body as it gets
| downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the
| linked GitHub Advisory. Users are only affected if all of this is
| true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used,
| `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1
| objects, and these HTTP/1.1 objects are forwarded to another remote
| peer. This has been patched in 4.1.60.Final As a workaround, the user
| can do the validation by themselves by implementing a custom
| `ChannelInboundHandler` that is put in the `ChannelPipeline` behind
| `Http2StreamFrameToHttpObjectCodec`.
[1] contains some more details and [2] ist the upstream merge to fix
the issue, not sure if it can be backported to older versions.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21295
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295
[1] https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
[2]
https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: netty
Source-Version: 1:4.1.48-3
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
netty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated netty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Mar 2021 13:37:15 +0100
Source: netty
Architecture: source
Version: 1:4.1.48-3
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 984948
Changes:
netty (1:4.1.48-3) unstable; urgency=high
.
* Team upload.
* Fix CVE-2021-21295:
There is a vulnerability that enables request smuggling. If a
Content-Length header is present in the original HTTP/2 request, the field
is not validated by `Http2MultiplexHandler` as it is propagated up. This is
fine as long as the request is not proxied through as HTTP/1.1. If the
request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1
domain objects (`HttpRequest`, `HttpContent`, etc.) via
`Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's
pipeline and proxied through a remote peer as HTTP/1.1 this may result in
request smuggling. (Closes: #984948)
Checksums-Sha1:
c60c819be2b80fc6737e322b37b7c3a7d561e883 2590 netty_4.1.48-3.dsc
b9388c1a8f1ccc9bf962eee733c24610d2644d17 22828 netty_4.1.48-3.debian.tar.xz
7ab7688bf7d2ce12f4b74af85b3800766b2532d9 14173 netty_4.1.48-3_amd64.buildinfo
Checksums-Sha256:
7280cbc653e554cdabf4030bb797d99d40595dcbf0837452e58f06fb8e0308d4 2590
netty_4.1.48-3.dsc
6c46a1aed05693555114fd5b9be81f0a04e2580b8a8b71450b45e48d747b9070 22828
netty_4.1.48-3.debian.tar.xz
e41356e1ec44ebd31d2c803b47d612d796a199a6b6f4ba2b21d2d2477acf84c3 14173
netty_4.1.48-3_amd64.buildinfo
Files:
e69025191209806015b5e044c1fe8b0d 2590 java optional netty_4.1.48-3.dsc
b4ae23372fbeb55842b98c37fede59df 22828 java optional
netty_4.1.48-3.debian.tar.xz
d6e9a9959ef907f5378d5def0eba4749 14173 java optional
netty_4.1.48-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmBeYJdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkG5gQAL1RttTgL5RkrLYGSgbNsSf9JOA+3EzyX0A7
ZsgnB4WAZvuLJn9Wws4ZZUDCRNMFd1Q3ppsa+LrE5O9r5xtgUCS4MtHMqpZ3vz7/
cLeXh6dWUK1P5/Bd3rNEtAwyYefp8xbQBhjS8g0XRQLsDe30UMN2pm2097nL4Cxl
2sc7tbJ+TLbCHtcdVQe0x55ZTdkIwbrFSI9odKU6d2/5n/tCUpxuFkm0gvvfEKlc
RwXSSq6QfpOAYwHYPtJK73jE6uaCuezgdJx4XOaGeJjxL0NiSWG/Mc9vTVcydofQ
Li+rI2p+38l6Kt09gMeEM6CJZBZuCz2HkmPvyW5ndIGVKB7m/5V+9xQSCbkBYdxw
r9e6CDPmj/cQhTo+bR5FGNE+Zp9hlZyCl/yr/UxnW/AvOQrNLExPO8PIuvPDgm+8
kGvaS1urKk7BTMNQ5HH9wTjF2qNUO/V4Bal654f4KruuP4uj26DL18d6b0hHpc7O
Ze4poAuIGDceMrK60gSOlJ/dKhxt6QvvSNcL6qjAt7i5RqSJ2rJTOI7gQuuSYwPq
T4f4nc0mrxCNAu39EU90CTk+nYaEV5oyOfy6wpYfgXza1S4GcB0vQmI4NHbRcW+B
RIlqkZtDBQ58GhLv0wybuymzrnacPe8RFHtBmHeI+j11qu6zNNvbqpFLKQo5N107
UIe2JypS
=Uxox
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
