An update for netty3 is now available for openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-2103 Final 1.0 1.0 2024-09-06 Initial 2024-09-06 2024-09-06 openEuler SA Tool V1.0 2024-09-06 netty3 security update An update for netty3 is now available for openEuler-22.03-LTS-SP3 Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server. Security Fix(es): Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.(CVE-2019-16869) HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."(CVE-2019-20444) HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.(CVE-2019-20445) An update for netty3 is now available for openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical netty3 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2103 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2019-16869 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2019-20444 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2019-20445 https://nvd.nist.gov/vuln/detail/CVE-2019-16869 https://nvd.nist.gov/vuln/detail/CVE-2019-20444 https://nvd.nist.gov/vuln/detail/CVE-2019-20445 openEuler-22.03-LTS-SP3 netty3-3.10.6-8.oe2203sp3.noarch.rpm netty3-3.10.6-8.oe2203sp3.src.rpm Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a Transfer-Encoding : chunked line), which leads to HTTP request smuggling. 2024-09-06 CVE-2019-16869 openEuler-22.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N netty3 security update 2024-09-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2103 HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an invalid fold. 2024-09-06 CVE-2019-20444 openEuler-22.03-LTS-SP3 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N netty3 security update 2024-09-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2103 HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. 2024-09-06 CVE-2019-20445 openEuler-22.03-LTS-SP3 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N netty3 security update 2024-09-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2103