Ubuntu Security Notice USN-4600-2

==========================================================================
Ubuntu Security Notice USN-4600-2
October 27, 2020

netty vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 18.04 LTS

Summary:

netty could be made to crash or run programs if it received
specially crafted network traffic.

Software Description:
– netty: None

Details:

USN-4600-1 fixed multiple vunerabilities in Netty 3.9. This update provides
the corresponding fixes for CVE-2019-20444, CVE-2019-20445 for Netty.

Also it was discovered that Netty allow for unbounded memory allocation. A
remote attacker could send a large stream to the Netty server causing it to
crash (denial of service). (CVE-2020-11612)

Original advisory details:

It was discovered that Netty had HTTP request smuggling vulnerabilities. A
remote attacker could used it to extract sensitive information. (CVE-2019-16869,
CVE-2019-20444, CVE-2019-20445, CVE-2020-7238)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
libnetty-java 1:4.1.7-4ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4600-2
https://usn.ubuntu.com/4600-1
CVE-2019-20444, CVE-2019-20445, CVE-2020-11612

Package Information:
https://launchpad.net/ubuntu/+source/netty/1:4.1.7-4ubuntu0.1