Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

undertow: CVE-2017-7559: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)

Related Vulnerabilities: CVE-2017-7559   CVE-2017-2666   CVE-2017-12165  

Source

Debian Bug report logs - #885576
undertow: CVE-2017-7559: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)

version graph

Package: src:undertow; Maintainer for src:undertow is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 28 Dec 2017 08:57:02 UTC

Severity: important

Tags: security

Found in version undertow/1.4.22-1

Fixed in version undertow/1.4.23-1

Done: Markus Koschany <apo@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://issues.jboss.org/browse/UNDERTOW-1165?_sscc=t

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#885576; Package src:undertow. (Thu, 28 Dec 2017 08:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 28 Dec 2017 08:57:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: undertow: CVE-2017-7559: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)
Date: Thu, 28 Dec 2017 09:55:12 +0100
Source: undertow
Severity: important
Tags: security

Hi,

the following vulnerability was published for undertow.

There is not much information available if that incomplete fix affects
us as well. Or which this was fixed upstream. I asked for
clarification in [1], but might you contact directly as well upstream
about that?

CVE-2017-7559[0]:
HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7559
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7559
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1481665#c7

Please adjust the affected versions in the BTS as needed, since not
yet clear, no affected version added.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#885576; Package src:undertow. (Thu, 28 Dec 2017 17:57:07 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 28 Dec 2017 17:57:07 GMT) (full text, mbox, link).

Message #10 received at 885576@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 885338@bugs.debian.org
Cc: 885576@bugs.debian.org
Subject: Re: undertow: CVE-2017-7559: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)
Date: Thu, 28 Dec 2017 18:55:54 +0100
[Message part 1 (text/plain, inline)]
On Thu, 28 Dec 2017 09:55:12 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: undertow
> Severity: important
> Tags: security
> 
> Hi,
> 
> the following vulnerability was published for undertow.
> 
> There is not much information available if that incomplete fix affects
> us as well. Or which this was fixed upstream. I asked for
> clarification in [1], but might you contact directly as well upstream
> about that?

Hi,

I requested more information about the fix for CVE-2017-12165 in Red
Hat's bug tracker. I couldn't find a recent fixing commit in the
upstream Git repository.

Markus


[signature.asc (application/pgp-signature, attachment)]

Set Bug forwarded-to-address to 'https://issues.jboss.org/browse/UNDERTOW-1251'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 04 Jan 2018 08:51:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#885576; Package src:undertow. (Fri, 02 Mar 2018 17:27:07 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Fri, 02 Mar 2018 17:27:07 GMT) (full text, mbox, link).

Message #17 received at 885576@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: 885576@bugs.debian.org
Subject: Re: undertow: CVE-2017-7559: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)
Date: Fri, 2 Mar 2018 18:26:15 +0100
[Message part 1 (text/plain, inline)]
I filed upstream bug

https://issues.jboss.org/browse/UNDERTOW-1295

and asked for more information about security vulnerabilities in general.

The relevant issues are public now:

CVE-2017-7559 was addressed in version 1.4.23 or 2.0.1. Since 2.0.1
requires the servlet 4.0 API which is currently not available in Debian
I'm opting for 1.4.23. I still need to find the relevant commit to be
able to backport the fix to Stretch.



[signature.asc (application/pgp-signature, attachment)]

Marked as found in versions undertow/1.4.22-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 02 Mar 2018 18:09:03 GMT) (full text, mbox, link).

Reply sent to Markus Koschany <apo@debian.org>:
You have taken responsibility. (Fri, 02 Mar 2018 20:57:07 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 02 Mar 2018 20:57:07 GMT) (full text, mbox, link).

Message #24 received at 885576-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: 885576-close@bugs.debian.org
Subject: Bug#885576: fixed in undertow 1.4.23-1
Date: Fri, 02 Mar 2018 20:53:30 +0000
Source: undertow
Source-Version: 1.4.23-1

We believe that the bug you reported is fixed in the latest version of
undertow, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 885576@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated undertow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 02 Mar 2018 20:29:02 +0100
Source: undertow
Binary: libundertow-java libundertow-java-doc
Architecture: source
Version: 1.4.23-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libundertow-java - flexible performant web server written in Java
 libundertow-java-doc - Documentation for Undertow
Closes: 885576
Changes:
 undertow (1.4.23-1) unstable; urgency=high
 .
   * New upstream version 1.4.23.
     - Fix CVE-2017-7559: HTTP Request smuggling vulnerability.
       (Closes: #885576)
Checksums-Sha1:
 72a5ef2d7938b20888c685f266c47354873ebf61 2744 undertow_1.4.23-1.dsc
 642a8b5d2a68d58c50dc467f564d7ed8babc8111 1140326 undertow_1.4.23.orig.tar.gz
 d41a0fc18914dee12f05fe56bc4c2d95b06fac0a 6964 undertow_1.4.23-1.debian.tar.xz
 9ee28bf0180fb05682b932fcc0eba025da74b0f5 17622 undertow_1.4.23-1_amd64.buildinfo
Checksums-Sha256:
 7b334bf53115e850841afadd590e3b9a60df6b8368e1f4f5b9f502251e8a22eb 2744 undertow_1.4.23-1.dsc
 4be5486812d0dd2d824a90684e6f739a7c3f7e13678d0a2799ea3376c02c3203 1140326 undertow_1.4.23.orig.tar.gz
 bcf7efd95c2b323d6b6324fb43ee87ec9acb2929cec6ac4db2ee8b01c0b21869 6964 undertow_1.4.23-1.debian.tar.xz
 600f31e565fde4b1ffbcb229948463b5ee72b96bfa9d4175085088402d0fecf3 17622 undertow_1.4.23-1_amd64.buildinfo
Files:
 7728e4ef234616810327ba6833d508df 2744 java optional undertow_1.4.23-1.dsc
 d925b1d93b68d8f6b611ffe7682236a8 1140326 java optional undertow_1.4.23.orig.tar.gz
 b5326b8a4e34fce4ffcd5292130cd8ea 6964 java optional undertow_1.4.23-1.debian.tar.xz
 797e2f21007d5dbf3594e9b139f942f8 17622 java optional undertow_1.4.23-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlqZqMBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkfbsQAJYGONq2ls1edNovfhhkfb1MJfvrDJSmvrjX
Q2PNzv1yRBJidb6c/0elRC0CH2jFl6OOqYSE0wkXttmlen6bXi4lTiQd82BiNRy4
Umb5+LIJgJYv6s1vD6UWBeUcXzbeHuhSzbhywBzmP/Fcv8m+F4yrR+Ovhk31uITw
ymN6Vm6FTYsTRGZinYTuKz1mX1Qp+TQkW1lIZEb1hJpUiXivZrVO9UWo/bMLwY0d
1rd9V7Z7tbMfsKWOCpU1v/C5O/1el3ynUUvbnPxUX3Z97KaZphaNTA2UyOoVYhEu
yf960fxCZo3eOYWxEH8uK3Es5w02b4dql4/c0jTXBKQlAse7VcGfsRXrvzuJcV7v
3kd0kQdNZAnnc32TM/X5Mcp8QpBmf6Aq9yB90pJPFcfDS0lcK7P7SDrDgc3Lb6ID
8v5u5qL2dJi8lIwGYricLqf/Jcd0Y4lLNCTHoyjHB4QHxk0tzFd4BnFz3yNvau9f
keBFJprCM8M9GabHCLe4g/rGwckjtg4Eb0t8z1ET6j7A13wsFqE4EpibHEewfpIS
kQEbWgh59343XkmrJH+bWNnxeiJ2PraP8+qXAgcdlfm9qBofgFwKDFtWEiO3ZB2T
Uvzb/yBz796siF1T3777a+eyT0b36vP9cKNg4StliiWvE4pL5jcVZtpgzb6+Z1jx
R7wAXUAV
=L21W
-----END PGP SIGNATURE-----

Changed Bug forwarded-to-address to 'https://issues.jboss.org/browse/UNDERTOW-1165?_sscc=t' from 'https://issues.jboss.org/browse/UNDERTOW-1251'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 03 Mar 2018 15:45:10 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 29 Apr 2018 07:28:38 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:36:13 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started