Bugzilla – Bug 1152251
VUL-0: CVE-2019-16869: netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers
Last modified: 2022-04-14 12:51:28 UTC
CVE-2019-16869 Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. Upstream fix: https://github.com/netty/netty/commit/017a9658c97ff1a1355c31a6a1f8bd1ea6f21c8d References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16869 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16869.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869 https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final https://github.com/netty/netty/issues/9571
Same considerations in https://bugzilla.suse.com/show_bug.cgi?id=1145663#c1 apply here
I'd like to draw your attention to CVE-2020-7238 [1], a bug that was introduced upstream by the fix for this bug, CVE-2019-16869. [1] https://bugzilla.suse.com/show_bug.cgi?id=1161984
I submitted requests to update our netty package to 4.1.14 which fixes this vulnerability, and Uyuni patches to adapt to the new version. https://github.com/uyuni-project/uyuni/pull/1877 https://build.opensuse.org/request/show/772129 https://build.opensuse.org/request/show/772127 https://build.suse.de/request/show/210975 https://build.suse.de/request/show/210973 https://build.suse.de/request/show/210972 https://build.suse.de/request/show/210970 This fix will be part of the next SUSE Manager major version, 4.1, as well. Can this bug just be closed to RESOLVED?
process is to reassign to security-team
Done.