[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-MGASA-2021-0374":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T08:55:32.481Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":18,"duplicates":19,"related":20,"reserved_at":9,"published_at":23,"modified_at":24,"state":9,"summary":25,"references_raw":27,"kevs":44,"epss":9,"epss_history":45,"metrics":46,"affected":47},"MGASA-2021-0374","Updated netty packages fix security vulnerabilities\n\nIn Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a\nvulnerability that enables request smuggling. If a Content-Length header is\npresent in the original HTTP/2 request, the field is not validated by\n`Http2MultiplexHandler` as it is propagated up. This is fine as long as the\nrequest is not proxied through as HTTP/1.1. If the request comes in as an\nHTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`,\n`HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up\nto the child channel's pipeline and proxied through a remote peer as HTTP/1.1\nthis may result in request smuggling. In a proxy case, users may assume the\ncontent-length is validated somehow, which is not the case. If the request is\nforwarded to a backend channel that is a HTTP/1.1 connection, the Content-\nLength now has meaning and needs to be checked. An attacker can smuggle\nrequests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For\nan example attack refer to the linked GitHub Advisory. Users are only affected\nif all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used,\n`Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects,\nand these HTTP/1.1 objects are forwarded to another remote peer. This has been\npatched in 4.1.60.Final As a workaround, the user can do the validation by\nthemselves by implementing a custom `ChannelInboundHandler` that is put in the\n`ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`\n(CVE-2021-21295).\n\nIn Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a\nvulnerability that enables request smuggling. The content-length header is not\ncorrectly validated if the request only uses a single Http2HeaderFrame with\nthe endStream set to true. This could lead to request smuggling if the\nrequest is proxied to a remote peer and translated to HTTP/1.1. This is a\nfollowup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one\ncase. This was fixed as part of 4.1.61.Final\n(CVE-2021-21409).\n",null,[],[],[],[14,16],{"_key":15},"CVE-2021-21295",{"_key":17},"CVE-2021-21409",[],[],[21,22],{"_key":15},{"_key":17},"2021-07-27T20:21:53Z","2026-04-16T04:24:42.121088Z",{"cisa_kev":26,"cisa_ransomware":26,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[28,34,39],{"url":29,"sources":30,"tags":32},"https://advisories.mageia.org/MGASA-2021-0374.html",[31],"osv_mageia",[33],"Advisory",{"url":35,"sources":36,"tags":37},"https://bugs.mageia.org/show_bug.cgi?id=28985",[31],[38],"REPORT",{"url":40,"sources":41,"tags":42},"https://www.debian.org/security/2021/dsa-4885",[31],[38,43],"WEB",[],[],[],[48],{"ecosystem":49,"name":50,"vendor":51,"product":50,"cpe_part":9,"purl_type":52,"purl_namespace":51,"purl_name":50,"source":9,"versions":53},"Mageia","netty","mageia","rpm",[54],{"version":55,"is_range":56,"range_type":57,"version_start":9,"version_start_type":9,"version_end":58,"version_end_type":59,"fixed_in":9},"lt4_1_51_1_2_mga8",true,"ecosystem","4.1.51-1.2.mga8","excluding"]