Bug 1161984 (CVE-2020-7238)

Summary: VUL-0: CVE-2020-7238: netty: HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace, introduced with an incomplete fix for CVE-2019-16869
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: moio, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/251955/
See Also: http://bugzilla.suse.com/show_bug.cgi?id=1152251
Whiteboard: CVSSv3.1:SUSE:CVE-2020-7238:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-01-28 08:58:34 UTC 
CVE-2020-7238

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles
Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line)
and a later Content-Length header. This issue exists because of an incomplete
fix for CVE-2019-16869.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7238
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7238
https://github.com/jdordonezn/CVE-2020-72381/issues/1
https://netty.io/news/
Comment 2 Silvio Moioli 2020-02-07 15:33:28 UTC 
JFI: I submitted requests to update our netty package to 4.1.14 which fixes this vulnerability, and Uyuni patches to adapt to the new version.

https://github.com/uyuni-project/uyuni/pull/1877

https://build.opensuse.org/request/show/772129
https://build.opensuse.org/request/show/772127
https://build.suse.de/request/show/210975
https://build.suse.de/request/show/210973
https://build.suse.de/request/show/210972
https://build.suse.de/request/show/210970

This fix will be part of the next SUSE Manager major version, 4.1, as well.