Debian Netty vulnerabilities

CVE-2021-21290 [MEDIUM] CVE-2021-21290: netty - Netty is an open-source, asynchronous event-driven network application framework... Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the

CVE-2021-21409 [MEDIUM] CVE-2021-21409: netty - Netty is an open-source, asynchronous event-driven network application framework... Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a s

CVE-2020-7238 [HIGH] CVE-2020-7238: netty - Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-... Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. Scope: local bookworm: resolved (fixed in 1:4.1.45-1) bullseye: resolved (fixed in 1:4.1.45-1) forky: resolved (fixed in

CVE-2020-11612 [HIGH] CVE-2020-11612: netty - The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocat... The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. Scope: local bookworm: resolved (fixed in 1:4.1.48-1) bullseye: resolved (fixed in 1:4.1.48-1

CVE-2019-20444 [CRITICAL] CVE-2019-20444: netty - HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a... HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." Scope: local bookworm: resolved (fixed in 1:4.1.45-1) bullseye: resolved (fixed in 1:4.1.45-1) forky: resolved (fixed in 1:4.1.45-1) sid: resolved (fixed in 1

CVE-2019-20445 [CRITICAL] CVE-2019-20445: netty - HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to ... HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. Scope: local bookworm: resolved (fixed in 1:4.1.45-1) bullseye: resolved (fixed in 1:4.1.45-1) forky: resolved (fixed in 1:4.1.45-1) sid: resolved (fixed in 1:4.1.45-1) trixie: resolved (fixed in 1:4.1.

CVE-2019-16869 [HIGH] CVE-2019-16869: netty - Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers... Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. Scope: local bookworm: resolved (fixed in 1:4.1.33-2) bullseye: resolved (fixed in 1:4.1.33-2) forky: resolved (fixed in 1:4.1.33-2) sid: resolved (fixed in 1:4.1.33-2) trixie: resolved (fixed in 1:4.1.

CVE-2016-4970 [HIGH] CVE-2016-4970: netty - handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x befo... handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop). Scope: local bookworm: resolved (fixed in 1:4.0.37-1) bullseye: resolved (fixed in 1:4.0.37-1) forky: resolved (fixed in 1:4.0.37-1) sid: resolved (fixed in 1:4.0.37-1) trixie: resolved (fixed in 1:4.0.37-1)

CVE-2015-2156 [HIGH] CVE-2015-2156: netty - Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final,... Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. Scope: local bookworm: resolved (fixed in 1:4.0.31-1)

CVE-2014-0193 [MEDIUM] CVE-2014-0193: netty - WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x b... WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: reso

CVE-2014-3488 [MEDIUM] CVE-2014-3488: netty - The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial o... The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved