CVE-2020-7238 in Ubuntu

CVE-2020-7238

Priority

Description

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles
Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked
line) and a later Content-Length header. This issue exists because of an
incomplete fix for CVE-2019-16869.

Ubuntu-Description

It was discovered that Netty has HTTP request smuggling vulnerability. A
remote attacker could use it to extract sensitive information.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7238
https://bugzilla.redhat.com/show_bug.cgi?id=1796225
https://github.com/jdordonezn/CVE-2020-72381/issues/1
https://netty.io/news/
https://ubuntu.com/security/notices/USN-4600-1

Notes

Package

Source: netty (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	needs-triage
Ubuntu 20.04 LTS:	not-affected (1:4.1.45-1)
Ubuntu 21.10:	not-affected (1:4.1.45-1)
Ubuntu 22.04 LTS:	not-affected (1:4.1.45-1)
Ubuntu 14.04 ESM:	needs-triage

Patches:

Package

Source: netty-3.9 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (3.9.9.Final-1+deb9u1)
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

More Information

Updated: 2022-04-25 00:50:55 UTC (commit ecc1009cb19540b950de59270950018900f37f15)