CVE-2021-43797

NameCVE-2021-43797
DescriptionNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3268-1, DSA-5316-1
Debian Bugs1001437

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
netty (PTS)buster1:4.1.33-1+deb10u2vulnerable
buster (security)1:4.1.33-1+deb10u4fixed
bullseye (security), bullseye1:4.1.48-4+deb11u2fixed
bookworm, bookworm (security)1:4.1.48-7+deb12u1fixed
sid, trixie1:4.1.48-9fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nettysourcebuster1:4.1.33-1+deb10u3DLA-3268-1
nettysourcebullseye1:4.1.48-4+deb11u1DSA-5316-1
nettysource(unstable)1:4.1.48-61001437

Notes

[stretch] - netty <no-dsa> (Minor issue)
https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323 (netty-4.1.71.Final)
Search for package or bug name: Reporting problems