OESA-2024-2069

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2069

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2024-2069.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2024-2069

Upstream

CVE-2019-16869

CVE-2019-20444

CVE-2019-20445

Published

2024-08-30T11:08:59Z

Modified

2025-08-12T05:34:32.068364Z

Summary

netty3 security update

Details

Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Security Fix(es):

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.(CVE-2019-16869)

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."(CVE-2019-20444)

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.(CVE-2019-20445)

Database specific

{
    "severity": "Critical"
}

References

Affected packages

openEuler:22.03-LTS-SP4 / netty3

Package

Name: netty3
Purl: pkg:rpm/openEuler/netty3&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.10.6-8.oe2203sp4

Ecosystem specific

{
    "src": [
        "netty3-3.10.6-8.oe2203sp4.src.rpm"
    ],
    "noarch": [
        "netty3-3.10.6-8.oe2203sp4.noarch.rpm"
    ]
}