Bug 1152251 (CVE-2019-16869)

Summary: VUL-0: CVE-2019-16869: netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gabriele.sonnu, moio, security-team, smash_bz, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/243415/
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1161984
Whiteboard: CVSSv3:SUSE:CVE-2019-16869:6.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) maint:planned:update
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Silvio Moioli 2019-10-03 08:24:17 UTC
Same considerations in https://bugzilla.suse.com/show_bug.cgi?id=1145663#c1 apply here
Comment 2 Wolfgang Frisch 2020-01-28 09:03:12 UTC
I'd like to draw your attention to CVE-2020-7238 [1], a bug that was introduced upstream by the fix for this bug, CVE-2019-16869.

[1] https://bugzilla.suse.com/show_bug.cgi?id=1161984
Comment 3 Silvio Moioli 2020-02-07 15:36:28 UTC
I submitted requests to update our netty package to 4.1.14 which fixes this vulnerability, and Uyuni patches to adapt to the new version.



This fix will be part of the next SUSE Manager major version, 4.1, as well.

Can this bug just be closed to RESOLVED?
Comment 4 Marcus Meissner 2020-02-14 12:37:06 UTC
process is to reassign to security-team
Comment 5 Gabriele Sonnu 2022-04-14 12:51:28 UTC