Bug 1152251 - (CVE-2019-16869) VUL-0: CVE-2019-16869: netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers
(CVE-2019-16869)
VUL-0: CVE-2019-16869: netty: HTTP request smuggling by mishandled whitespace...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/243415/
CVSSv3:SUSE:CVE-2019-16869:6.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-27 08:57 UTC by Alexander Bergmann
Modified: 2022-04-14 12:51 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Silvio Moioli 2019-10-03 08:24:17 UTC
Same considerations in https://bugzilla.suse.com/show_bug.cgi?id=1145663#c1 apply here
Comment 2 Wolfgang Frisch 2020-01-28 09:03:12 UTC
I'd like to draw your attention to CVE-2020-7238 [1], a bug that was introduced upstream by the fix for this bug, CVE-2019-16869.

[1] https://bugzilla.suse.com/show_bug.cgi?id=1161984
Comment 3 Silvio Moioli 2020-02-07 15:36:28 UTC
I submitted requests to update our netty package to 4.1.14 which fixes this vulnerability, and Uyuni patches to adapt to the new version.

https://github.com/uyuni-project/uyuni/pull/1877

https://build.opensuse.org/request/show/772129
https://build.opensuse.org/request/show/772127
https://build.suse.de/request/show/210975
https://build.suse.de/request/show/210973
https://build.suse.de/request/show/210972
https://build.suse.de/request/show/210970

This fix will be part of the next SUSE Manager major version, 4.1, as well.

Can this bug just be closed to RESOLVED?
Comment 4 Marcus Meissner 2020-02-14 12:37:06 UTC
process is to reassign to security-team
Comment 5 Gabriele Sonnu 2022-04-14 12:51:28 UTC
Done.