PublicDateAtUSN: 2019-09-26 16:15:00 UTC
Candidate: CVE-2019-16869
PublicDate: 2019-09-26 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869
 https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final
 https://github.com/netty/netty/issues/9571
 https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
 https://ubuntu.com/security/notices/USN-4532-1
 https://ubuntu.com/security/notices/USN-4600-1
Description:
 Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP
 headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP
 request smuggling.
Ubuntu-Description:
 It was discovered that Netty has HTTP request smuggling vulnerability. A
 remote attacker could use it to extract sensitive information.
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_netty:
upstream_netty: needs-triage
precise/esm_netty: DNE
trusty_netty: ignored (out of standard support)
trusty/esm_netty: needed
xenial_netty: ignored (end of standard support, was needed)
bionic_netty: needed
disco_netty: ignored (reached end-of-life)
eoan_netty: ignored (reached end-of-life)
focal_netty: not-affected (1:4.1.33-3)
groovy_netty: not-affected (1:4.1.33-3)
hirsute_netty: not-affected (1:4.1.33-3)
impish_netty: not-affected (1:4.1.33-3)
jammy_netty: not-affected (1:4.1.33-3)
devel_netty: not-affected (1:4.1.33-3)

Patches_netty-3.9:
upstream_netty-3.9: needs-triage
precise/esm_netty-3.9: DNE
trusty_netty-3.9: ignored (trusty was DNE)
trusty/esm_netty-3.9: DNE
xenial_netty-3.9: released (3.9.0.Final-1ubuntu0.1)
bionic_netty-3.9: released (3.9.9.Final-1+deb9u1build0.18.04.1)
focal_netty-3.9: DNE
groovy_netty-3.9: DNE
hirsute_netty-3.9: DNE
impish_netty-3.9: DNE
jammy_netty-3.9: DNE
devel_netty-3.9: DNE