netty-3.9 (3.9.0.Final-1+deb8u1) jessie-security; urgency=medium

  * Non-maintainer upload by the Debian LTS Security Team.
  * CVE-2014-0193: WebSocket08FrameDecoder allows remote attackers to
    cause a denial of service (memory consumption) via a
    TextWebSocketFrame followed by a long stream of
    ContinuationWebSocketFrames.
  * CVE-2014-3488: The SslHandler allows remote attackers to cause a
    denial of service (infinite loop and CPU consumption) via a
    crafted SSLv2Hello message.
  * CVE-2019-16869: Correctly handle whitespaces in HTTP header names
    as defined by RFC7230#section-3.2.4.
  * CVE-2019-20444: HttpObjectDecoder.java allows an HTTP header that
    lacks a colon, which might be interpreted as a separate header
    with an incorrect syntax, or might be interpreted as an "invalid
    fold."
  * CVE-2019-20445: HttpObjectDecoder.java allows a Content-Length
    header to be accompanied by a second Content-Length header, or by
    a Transfer-Encoding header.
  * CVE-2020-7238: Netty allows HTTP Request Smuggling because it
    mishandles Transfer-Encoding whitespace (such as a
    [space]Transfer-Encoding:chunked line) and a later Content-Length
    header.

 -- Sylvain Beucler <beuc@debian.org>  Wed, 19 Feb 2020 17:46:53 +0100

netty-3.9 (3.9.0.Final-1) unstable; urgency=medium

  * Initial release (Closes: #736645)

 -- Hilko Bengen <bengen@debian.org>  Sun, 08 Jun 2014 18:55:20 +0200
