https://bugzilla.redhat.com/show_bug.cgi?id=1798524
Bug ID: 1798524 Summary: CVE-2019-20444 netty: HTTP request smuggling Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, aos-bugs@redhat.com, asoldano@redhat.com, atangrin@redhat.com, ataylor@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bbuckingham@redhat.com, bcourt@redhat.com, bgeorges@redhat.com, bkearney@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, btotty@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, darran.lofthouse@redhat.com, decathorpe@gmail.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, eparis@redhat.com, etirelli@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, hhudgeon@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jburrell@redhat.com, jcantril@redhat.com, jerboaa@gmail.com, jochrist@redhat.com, jokerman@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jross@redhat.com, jstastny@redhat.com, jwon@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, lgao@redhat.com, loleary@redhat.com, lthon@redhat.com, lzap@redhat.com, mmccune@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, nstielau@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pdrozd@redhat.com, pgallagh@redhat.com, pjindal@redhat.com, pmackay@redhat.com, psotirop@redhat.com, rchan@redhat.com, rguimara@redhat.com, rjerrido@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sdaley@redhat.com, smaestri@redhat.com, sochotni@redhat.com, sokeeffe@redhat.com, spinder@redhat.com, sponnaga@redhat.com, stewardship-sig@lists.fedoraproject.org, sthorger@redhat.com, tbrisker@redhat.com, theute@redhat.com, tom.jenkinson@redhat.com Target Milestone: --- Classification: Other
A vulnerability was found in HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Reference: https://github.com/netty/netty/issues/9866 https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Fin...