netty-3.9 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

* Ubuntu 18.04 LTS

Summary

Several security issues were fixed in Netty.

Software Description

* netty-3.9 - Asynchronous event-driven network application
framework

Details

It was discovered that Netty incorrectly handled certain HTTP
headers. By sending an HTTP header with whitespace before the
colon, a remote attacker could possibly use this issue to perform
an HTTP request smuggling attack. (CVE-2019-16869)

It was discovered that Netty incorrectly handled certain HTTP
headers. By sending an HTTP header that lacks a colon, a remote
attacker could possibly use this issue to perform an HTTP request
smuggling attack. (CVE-2019-20444)

It was discovered that Netty incorrectly handled certain HTTP
headers. By sending a Content-Length header accompanied by a
second Content-Length header, or by a Transfer-Encoding header, a
remote attacker could possibly use this issue to perform an HTTP
request smuggling attack. (CVE-2019-20445)

Update instructions

The problem can be corrected by updating your system to the
following package versions:

Ubuntu 18.04 LTS
libnetty-3.9-java - 3.9.9.Final-1+deb9u1build0.18.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary
changes.

References

* CVE-2019-16869
* CVE-2019-20444
* CVE-2019-20445

--- Mystic BBS v1.12 A46 (Linux/64)
* Origin: BZ&BZ BBS (21:4/110)

netty-3.9 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

* Ubuntu 16.04 LTS

Summary

Netty could be made to expose sensitive information over the
network.

Software Description

* netty-3.9 - Asynchronous event-driven network application
framework

Details

It was discovered that Netty had HTTP request smuggling
vulnerabilities. A remote attacker could used it to extract
sensitive information. (CVE-2019-16869, CVE-2019-20444,
CVE-2019-20445, CVE-2020-7238)

Update instructions

The problem can be corrected by updating your system to the
following package versions:

Ubuntu 16.04 LTS
libnetty-3.9-java - 3.9.0.Final-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary
changes.

References

* CVE-2019-16869
* CVE-2019-20444
* CVE-2019-20445
* CVE-2020-7238

--- Mystic BBS v1.12 A46 (Linux/64)
* Origin: BZ&BZ BBS (21:4/110)

netty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

* Ubuntu 18.04 LTS

Summary

netty could be made to crash or run programs if it received
specially crafted network traffic.

Software Description

* netty - None

Details

USN-4600-1 fixed multiple vunerabilities in Netty 3.9. This update
provides the corresponding fixes for CVE-2019-20444,
CVE-2019-20445 for Netty.

Also it was discovered that Netty allow for unbounded memory
allocation. A remote attacker could send a large stream to the
Netty server causing it to crash (denial of service).
(CVE-2020-11612)

Original advisory details:

It was discovered that Netty had HTTP request smuggling
vulnerabilities. A remote attacker could used it to extract
sensitive information. (CVE-2019-16869, CVE-2019-20444,
CVE-2019-20445, CVE-2020-7238)

Update instructions

The problem can be corrected by updating your system to the
following package versions:

Ubuntu 18.04 LTS
libnetty-java - 1:4.1.7-4ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary
changes.

References

* USN-4600-1
* CVE-2019-20444
* CVE-2019-20445
* CVE-2020-11612

--- Mystic BBS v1.12 A46 (Linux/64)
* Origin: BZ&BZ BBS (21:4/110)