Bugzilla – Bug 1161984
VUL-0: CVE-2020-7238: netty: HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace, introduced with an incomplete fix for CVE-2019-16869
Last modified: 2020-02-07 15:33:28 UTC
CVE-2020-7238 Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7238 https://github.com/jdordonezn/CVE-2020-72381/issues/1 https://netty.io/news/
JFI: I submitted requests to update our netty package to 4.1.14 which fixes this vulnerability, and Uyuni patches to adapt to the new version. https://github.com/uyuni-project/uyuni/pull/1877 https://build.opensuse.org/request/show/772129 https://build.opensuse.org/request/show/772127 https://build.suse.de/request/show/210975 https://build.suse.de/request/show/210973 https://build.suse.de/request/show/210972 https://build.suse.de/request/show/210970 This fix will be part of the next SUSE Manager major version, 4.1, as well.