|Description||Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|netty (PTS)||jessie, jessie (lts)||1:3.2.6.Final-2+deb8u2||fixed|
|stretch (security), stretch (lts), stretch||1:4.1.7-2+deb9u3||vulnerable|
|buster, buster (security)||1:4.1.33-1+deb10u2||fixed|
The information below is based on the following data on fixed versions.
|Package||Type||Release||Fixed Version||Urgency||Origin||Debian Bugs|
[stretch] - netty <ignored> (Minor issue, fix requires major changes of HTTP2 module)
Fixed by: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
Is a followup to: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
[jessie] - netty <not-affected> (http2 support added later)