An update for netty is now available for openEuler-20.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1930 Final 1.0 1.0 2022-09-23 Initial 2022-09-23 2022-09-23 openEuler SA Tool V1.0 2022-09-23 netty security update An update for netty is now available for openEuler-20.03-LTS-SP3. Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. %package help Summary: Documents for Buildarch: noarch Requires: man info Provides: -javadoc = - Obsoletes: -javadoc < - %description help Man pages and other related documents for . Security Fix(es): Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.(CVE-2021-43797) An update for netty is now available for openEuler-20.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium netty https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1930 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-43797 https://nvd.nist.gov/vuln/detail/CVE-2021-43797 openEuler-20.03-LTS-SP3 netty-4.1.13-17.oe1.aarch64.rpm netty-help-4.1.13-17.oe1.noarch.rpm netty-4.1.13-17.oe1.src.rpm netty-4.1.13-17.oe1.x86_64.rpm Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.7.1.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to sanitize header names before it forward these to another remote system when used as proxy. This remote system can t see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.7.1.Final to receive a patch. 2022-09-23 CVE-2021-43797 openEuler-20.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N netty security update 2022-09-23 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1930