Debian Bug report logs -
#897247
undertow: CVE-2018-1114: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#897247
; Package src:undertow
.
(Mon, 30 Apr 2018 19:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Mon, 30 Apr 2018 19:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: undertow
Version: 1.4.23-3
Severity: important
Tags: patch security upstream
Forwarded: https://issues.jboss.org/browse/UNDERTOW-1338
Hi,
The following vulnerability was published for undertow.
CVE-2018-1114[0]:
|File descriptor leak caused by JarURLConnection.getLastModified()
|allows attacker to cause a denial of service
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1114
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1114
[1] https://issues.jboss.org/browse/UNDERTOW-1338
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply sent
to Markus Koschany <apo@debian.org>
:
You have taken responsibility.
(Sun, 06 May 2018 21:03:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 06 May 2018 21:03:13 GMT) (full text, mbox, link).
Message #10 received at 897247-close@bugs.debian.org (full text, mbox, reply):
Source: undertow
Source-Version: 1.4.25-1
We believe that the bug you reported is fixed in the latest version of
undertow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 897247@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated undertow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 May 2018 21:29:28 +0200
Source: undertow
Binary: libundertow-java libundertow-java-doc
Architecture: source
Version: 1.4.25-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libundertow-java - flexible performant web server written in Java
libundertow-java-doc - Documentation for Undertow
Closes: 897247
Changes:
undertow (1.4.25-1) unstable; urgency=medium
.
* New upstream version 1.4.25
- Fix CVE-2018-1114: File descriptor leak caused by
JarURLConnection.getLastModified() allows attacker to cause a denial of
service. (Closes: #897247)
- Fix CVE-2017-12196: When using Digest authentication the server does not
ensure that the value of URI in the Authorization header matches the URI
in HTTP request line. This allows the attacker to cause a MITM attack and
access the desired content on the server.
* Declare compliance with Debian Policy 4.1.4.
Checksums-Sha1:
9626fbf640d84557c6a3c952b568e6fc3d071317 2754 undertow_1.4.25-1.dsc
10d9205135f8bfc095ecc95de5676466e141fcca 744588 undertow_1.4.25.orig.tar.xz
f3943ec4f76c1c529f9066d832d0c7035fd8b072 7528 undertow_1.4.25-1.debian.tar.xz
bf49bc5e7223bd9ac520ac867bfed034ecedafa1 17738 undertow_1.4.25-1_amd64.buildinfo
Checksums-Sha256:
facfa86844e8da9544f6e9deee6240493788c75e77f9fda477b6c3d8c0621b4b 2754 undertow_1.4.25-1.dsc
eccabc5973944010a15d2a4ec16a3a948c8cf75496d6da9013c84c1867d55a5d 744588 undertow_1.4.25.orig.tar.xz
650f26f47cb02a3d806fc9ec45257d85ba0ed1a02b4d3c85c05e2b52fbc0ffa0 7528 undertow_1.4.25-1.debian.tar.xz
4ef0e643cbabd5499d84e5d11b46a585e74a1e4688bd3969825170a2cdae1077 17738 undertow_1.4.25-1_amd64.buildinfo
Files:
e670ecf8ab523e51d19d7654fa76bac7 2754 java optional undertow_1.4.25-1.dsc
91b3a5b29190017f7d119ad409690d3d 744588 java optional undertow_1.4.25.orig.tar.xz
ef78fc553059accb288dacceda75edf2 7528 java optional undertow_1.4.25-1.debian.tar.xz
500f45ee38b3fdc6fbf7baf7c07c1c2b 17738 java optional undertow_1.4.25-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrvW2pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkoYQP/2Bvz84AdDycU11v3r79/odyjY3s4bLHVyq1
/KuuqtNtSxOA0+lHd7h41576hF88FoipwnrPlzvUs7Y4sfezdRSRkFJHKja5kjEW
HpFg/rKBnmnMNsmt+Xd53Omgc8eKP1dxA5sH9525UvzCB3dIN2Q56MGQJkfDzD1J
5ASKdWL2lwehnq05reK/l94s5nc3jGOyfb3aZ88mRyw7KMH4LKI/g+1TB2jFnZcG
L1mS7zGI41nVD026H8mlTbJWmB6YaVeIkOa332juvDzSsJonbn4GyeGP9wK1nQnw
pJbX8OMk3tUlAaCyiyJqmtiC+TNpUb3rGf6RNQpNOHVnri6X+2NpsuNkw5RFB68s
uc+7p/krVoVV6FkyJuGrPGdNR5s6c3ouikRGmD9SQW9CQp+t0e3xpgbuRLHigYQ8
mSoxtMtdD9ReA+M1E6BcjmmWCiUFIIoqh4EEYwgq1oYZRMPo6hvBOEq+hYW3Cq6m
CtY4cvbigorFsHxpm0XBO0ywwwKG9bzFOL2Wb4nnalINplABqaRyPJb8ljJ1A6HH
nRFAvpNoqK3B2dA0efvvza/k/U1PX3L/k0CyIfTBWgRHO8+QrGtTBv1ciphZEHeG
rdlOhe1f0cW129LUggmSP8EzMEd/QzAl/H/Q3/3LKd970OxRDH868HL4hLXqqKb6
fRYdKZtZ
=O3cH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 09 Jun 2018 07:26:59 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:07:52 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.