[USN-4600-2] Netty vulnerabilities

Paulo Flabiano Smorigo pfsmorigo at canonical.com
Tue Oct 27 18:36:03 UTC 2020


==========================================================================
Ubuntu Security Notice USN-4600-2
October 27, 2020

netty vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

netty could be made to crash or run programs if it received
specially crafted network traffic.

Software Description:
- netty: None

Details:

USN-4600-1 fixed multiple vunerabilities in Netty 3.9. This update provides
the corresponding fixes for CVE-2019-20444, CVE-2019-20445 for Netty.

Also it was discovered that Netty allow for unbounded memory allocation. A
remote attacker could send a large stream to the Netty server causing it to
crash (denial of service). (CVE-2020-11612)

Original advisory details:

 It was discovered that Netty had HTTP request smuggling vulnerabilities. A
 remote attacker could used it to extract sensitive information. (CVE-2019-16869,
 CVE-2019-20444, CVE-2019-20445, CVE-2020-7238)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  libnetty-java                   1:4.1.7-4ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
  https://usn.ubuntu.com/4600-2
  https://usn.ubuntu.com/4600-1
  CVE-2019-20444, CVE-2019-20445, CVE-2020-11612

Package Information:
  https://launchpad.net/ubuntu/+source/netty/1:4.1.7-4ubuntu0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20201027/727ddf9f/attachment.sig>


More information about the ubuntu-security-announce mailing list