Netty 漏洞,建議你們升級netty至 4.1.42.Final版本

近日Netty 4.x版本爆出了CVE-2019-16869漏洞.
詳情見這裏:http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201909-1264
修復方法爲升級至 4.1.42.Final版本便可.
具體的行爲以下:
http request smuggling, cause by obfuscating TE header
`Expected behavior
ignore obfuscating TE header("Transfer-Encoding : chunked" vs "Transfer-Encoding: chunked")

Actual behavior
use Transfer-Encoding[space] as Transfer-Encoding

Steps to reproduce
一、topology: client→elb→nettyServer
二、client send a request with both content-length and trunked-encoded[space]
三、elb ignored trunked-encoded[space], but use content-length
四、netty use trunked-encoded[space]

Minimal yet complete reproducer code (or URL to code)
when header field end with space but not colon, shoud the space be ignored?
can not found proof in https://greenbytes.de/tech/webdav/rfc7230.html#header.fields.

code in io.netty.handler.codec.http.HttpObjectDecoder#splitHeader

for (nameEnd = nameStart; nameEnd < length; nameEnd ++) {
char ch = sb.charAt(nameEnd);
if (ch == ':' || Character.isWhitespace(ch)) {
break;
}
}
Netty version
all

JVM version (e.g. java -version)
OS version (e.g. uname -a)`