undertow: CVE-2018-1114: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service

Debian Bug report logs - #897247
undertow: CVE-2018-1114: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: undertow: CVE-2018-1114: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service

Date: Mon, 30 Apr 2018 21:10:55 +0200

Source: undertow
Version: 1.4.23-3
Severity: important
Tags: patch security upstream
Forwarded: https://issues.jboss.org/browse/UNDERTOW-1338

Hi,

The following vulnerability was published for undertow.

CVE-2018-1114[0]:
|File descriptor leak caused by JarURLConnection.getLastModified()
|allows attacker to cause a denial of service

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1114
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1114
[1] https://issues.jboss.org/browse/UNDERTOW-1338

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Message #10 received at 897247-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 897247-close@bugs.debian.org

Subject: Bug#897247: fixed in undertow 1.4.25-1

Date: Sun, 06 May 2018 21:00:20 +0000

Source: undertow
Source-Version: 1.4.25-1

We believe that the bug you reported is fixed in the latest version of
undertow, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 897247@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated undertow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 06 May 2018 21:29:28 +0200
Source: undertow
Binary: libundertow-java libundertow-java-doc
Architecture: source
Version: 1.4.25-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libundertow-java - flexible performant web server written in Java
 libundertow-java-doc - Documentation for Undertow
Closes: 897247
Changes:
 undertow (1.4.25-1) unstable; urgency=medium
 .
   * New upstream version 1.4.25
     - Fix CVE-2018-1114: File descriptor leak caused by
       JarURLConnection.getLastModified() allows attacker to cause a denial of
       service. (Closes: #897247)
     - Fix CVE-2017-12196: When using Digest authentication the server does not
       ensure that the value of URI in the Authorization header matches the URI
       in HTTP request line. This allows the attacker to cause a MITM attack and
       access the desired content on the server.
   * Declare compliance with Debian Policy 4.1.4.
Checksums-Sha1:
 9626fbf640d84557c6a3c952b568e6fc3d071317 2754 undertow_1.4.25-1.dsc
 10d9205135f8bfc095ecc95de5676466e141fcca 744588 undertow_1.4.25.orig.tar.xz
 f3943ec4f76c1c529f9066d832d0c7035fd8b072 7528 undertow_1.4.25-1.debian.tar.xz
 bf49bc5e7223bd9ac520ac867bfed034ecedafa1 17738 undertow_1.4.25-1_amd64.buildinfo
Checksums-Sha256:
 facfa86844e8da9544f6e9deee6240493788c75e77f9fda477b6c3d8c0621b4b 2754 undertow_1.4.25-1.dsc
 eccabc5973944010a15d2a4ec16a3a948c8cf75496d6da9013c84c1867d55a5d 744588 undertow_1.4.25.orig.tar.xz
 650f26f47cb02a3d806fc9ec45257d85ba0ed1a02b4d3c85c05e2b52fbc0ffa0 7528 undertow_1.4.25-1.debian.tar.xz
 4ef0e643cbabd5499d84e5d11b46a585e74a1e4688bd3969825170a2cdae1077 17738 undertow_1.4.25-1_amd64.buildinfo
Files:
 e670ecf8ab523e51d19d7654fa76bac7 2754 java optional undertow_1.4.25-1.dsc
 91b3a5b29190017f7d119ad409690d3d 744588 java optional undertow_1.4.25.orig.tar.xz
 ef78fc553059accb288dacceda75edf2 7528 java optional undertow_1.4.25-1.debian.tar.xz
 500f45ee38b3fdc6fbf7baf7c07c1c2b 17738 java optional undertow_1.4.25-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrvW2pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkoYQP/2Bvz84AdDycU11v3r79/odyjY3s4bLHVyq1
/KuuqtNtSxOA0+lHd7h41576hF88FoipwnrPlzvUs7Y4sfezdRSRkFJHKja5kjEW
HpFg/rKBnmnMNsmt+Xd53Omgc8eKP1dxA5sH9525UvzCB3dIN2Q56MGQJkfDzD1J
5ASKdWL2lwehnq05reK/l94s5nc3jGOyfb3aZ88mRyw7KMH4LKI/g+1TB2jFnZcG
L1mS7zGI41nVD026H8mlTbJWmB6YaVeIkOa332juvDzSsJonbn4GyeGP9wK1nQnw
pJbX8OMk3tUlAaCyiyJqmtiC+TNpUb3rGf6RNQpNOHVnri6X+2NpsuNkw5RFB68s
uc+7p/krVoVV6FkyJuGrPGdNR5s6c3ouikRGmD9SQW9CQp+t0e3xpgbuRLHigYQ8
mSoxtMtdD9ReA+M1E6BcjmmWCiUFIIoqh4EEYwgq1oYZRMPo6hvBOEq+hYW3Cq6m
CtY4cvbigorFsHxpm0XBO0ywwwKG9bzFOL2Wb4nnalINplABqaRyPJb8ljJ1A6HH
nRFAvpNoqK3B2dA0efvvza/k/U1PX3L/k0CyIfTBWgRHO8+QrGtTBv1ciphZEHeG
rdlOhe1f0cW129LUggmSP8EzMEd/QzAl/H/Q3/3LKd970OxRDH868HL4hLXqqKb6
fRYdKZtZ
=O3cH
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.