Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted netty 1:3.2.6.Final-2+deb8u2 (source all) into oldoldstable
Date: Wed, 19 Feb 2020 17:40:15 +0000
Signed by: Sylvain Beucler <beuc@beuc.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 19 Feb 2020 17:44:45 +0100
Source: netty
Binary: libnetty-java
Architecture: source all
Version: 1:3.2.6.Final-2+deb8u2
Distribution: jessie-security
Urgency: medium
Maintainer: Chris Grzegorczyk <grze@eucalyptus.com>
Changed-By: Sylvain Beucler <beuc@debian.org>
Description:
 libnetty-java - Java NIO client/server socket framework
Changes:
 netty (1:3.2.6.Final-2+deb8u2) jessie-security; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS Security Team.
   * CVE-2019-20444: HttpObjectDecoder.java allows an HTTP header that
     lacks a colon, which might be interpreted as a separate header
     with an incorrect syntax, or might be interpreted as an "invalid
     fold."
   * CVE-2019-20445: HttpObjectDecoder.java allows a Content-Length
     header to be accompanied by a second Content-Length header, or by
     a Transfer-Encoding header.
   * CVE-2020-7238: Netty allows HTTP Request Smuggling because it
     mishandles Transfer-Encoding whitespace (such as a
     [space]Transfer-Encoding:chunked line) and a later Content-Length
     header.
Checksums-Sha1:
 cde12d3eda181b28fda6ffd4a9d1fd4ccec05450 1882 netty_3.2.6.Final-2+deb8u2.dsc
 6ab339ea1b0e57a377e1bfdfce40012cf57a5f1b 9520 netty_3.2.6.Final-2+deb8u2.debian.tar.xz
 e546bc4f6d18cde6d25cf107b14f8f92bdb6d6de 663124 libnetty-java_3.2.6.Final-2+deb8u2_all.deb
Checksums-Sha256:
 5df628f646fccd73c2f48ef751170e96d55139077da89c3d3e3e21a760fd6df8 1882 netty_3.2.6.Final-2+deb8u2.dsc
 94b5c6d2edb85b2c3a280419ba079c45137e0e788b0becd93db6f41e61c23521 9520 netty_3.2.6.Final-2+deb8u2.debian.tar.xz
 d497ca94158b38951b20876b3daae1f6d4ef3cd86a4cf6b8dc5b3863da412dbe 663124 libnetty-java_3.2.6.Final-2+deb8u2_all.deb
Files:
 57510571d26561736324a811dc8276e4 1882 java optional netty_3.2.6.Final-2+deb8u2.dsc
 2dff92269583970529a3916dafca014d 9520 java optional netty_3.2.6.Final-2+deb8u2.debian.tar.xz
 fba2d617ddff9f2e1b35cf376606bff5 663124 java optional libnetty-java_3.2.6.Final-2+deb8u2_all.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl5NbhkACgkQj/HLbo2J
BZ8j+Af/SqfojGfBSaYe9HM/6ivijeEndsh6misCzI8qrsvu5gado+CSQCKus6iJ
BaMwJ/5CFXYEwBs3E1sEt0ExSFIZbiCRVaB67qW7O660ToDkpXpLyLcAmQu1HNKh
FdPhw0My7nJ43rkEB8ypNg28FN8IQ4XTE3gXUK4jKS3UYgl8vBFcD9EhVbWj4cqP
Qcdp6my7M3Y0h3KdHhgWKUE8qEu8fuSe6Anxl81XCnBIyRH6x3q66vSD4rxSpUqM
fDEEk/rK1A2VUBxYvyVDZl77CVhYqmBI5cHFqDWvy2no43GD0u151afWCNFkSz7p
054kefS7OyIbRftJyZyjXIY8ObEStQ==
=+5aT
-----END PGP SIGNATURE-----

News for package netty