-
netty (1:4.1.48-5ubuntu0.1) kinetic-security; urgency=medium
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2021-37136.patch: Introduce maximum limit for the
decompressed output data of the Bzip2 decompression decoder function.
- CVE-2021-37136
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2021-37137.patch: Introduce maximum limit for the
Snappy frame decoder function.
- CVE-2021-37137
* SECURITY UPDATE: HTTP request smuggling
- debian/patches/CVE-2021-43797.patch: Properly validate and reject
disallowed control chars at the beginning and end of header names.
- CVE-2021-43797
* SECURITY UPDATE: Stack overflow vulnerability
- debian/patches/CVE-2022-41881.patch: Introduce maximum limit for nesting
of TLV to avoid infinite recursion on malformed crafted messages.
- CVE-2022-41881
* SECURITY UPDATE: HTTP Response Splitting
- debian/patches/CVE-2022-41915.patch: Add missing header value validation
for setObject methods that take arrays and iterators as arguments.
- CVE-2022-41915
-- Fabian Toepfer <email address hidden> Fri, 21 Apr 2023 23:14:28 +0200
-
netty (1:4.1.48-5) unstable; urgency=medium
* Team upload.
* Fix FTBFS on Java 17 (Closes: #1011135)
-- tony mancill <email address hidden> Wed, 25 May 2022 22:09:22 -0700
-
netty (1:4.1.48-4) unstable; urgency=high
* Team upload.
* Fix CVE-2021-21409 (Closes: #986217)
Address a vulnerability that enables request smuggling. The content-length
header is not correctly validated if the request only uses a single
Http2HeaderFrame with the endStream set to true. This could lead to request
smuggling if the request is proxied to a remote peer and translated to
HTTP/1.1. This is a followup to CVE-2021-21295 to address this case.
-- tony mancill <email address hidden> Wed, 31 Mar 2021 22:01:52 -0700