USN-4600-2: Netty vulnerabilities
27 October 2020
netty could be made to crash or run programs if it received specially crafted network traffic.
Releases
Packages
- netty - None
Details
USN-4600-1 fixed multiple vunerabilities in Netty 3.9. This update provides
the corresponding fixes for CVE-2019-20444, CVE-2019-20445 for Netty.
Also it was discovered that Netty allow for unbounded memory allocation. A
remote attacker could send a large stream to the Netty server causing it to
crash (denial of service). (CVE-2020-11612)
Original advisory details:
It was discovered that Netty had HTTP request smuggling vulnerabilities. A
remote attacker could used it to extract sensitive information. (CVE-2019-16869,
CVE-2019-20444, CVE-2019-20445, CVE-2020-7238)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 18.04
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-4532-1: libnetty-3.9-java, netty-3.9
- USN-4600-1: libnetty-3.9-java, netty-3.9
- USN-6049-1: netty, libnetty-java