Debian Bug report logs -
#864405
undertow: CVE-2017-2666 CVE-2017-2670
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 8 Jun 2017 06:57:01 UTC
Severity: grave
Tags: security
Found in version undertow/1.4.8-1
Fixed in versions undertow/1.4.18-1, undertow/1.4.8-1+deb9u1
Done: Markus Koschany <apo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#864405
; Package src:undertow
.
(Thu, 08 Jun 2017 06:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Thu, 08 Jun 2017 06:57:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: undertow
Severity: grave
Tags: security
There's no other reference that what Red Hat published here:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666
Upstream needs to be contacted or the patch pulled from their
update.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#864405
; Package src:undertow
.
(Thu, 08 Jun 2017 07:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Thu, 08 Jun 2017 07:03:04 GMT) (full text, mbox, link).
Message #10 received at 864405@bugs.debian.org (full text, mbox, reply):
retitle 864405 undertow: CVE-2016-2666 CVE-2016-2670
thx
Moritz Muehlenhoff wrote:
>
> There's no other reference that what Red Hat published here:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666
Also:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670
Cheers,
Moritz
Changed Bug title to 'undertow: CVE-2016-2666 CVE-2016-2670' from 'CVE-2016-2666'.
Request was from Moritz Mühlenhoff <jmm@inutil.org>
to control@bugs.debian.org
.
(Thu, 08 Jun 2017 07:03:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#864405
; Package src:undertow
.
(Thu, 08 Jun 2017 07:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Thu, 08 Jun 2017 07:45:05 GMT) (full text, mbox, link).
Message #17 received at 864405@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Am 08.06.2017 um 09:01 schrieb Moritz Mühlenhoff:
> retitle 864405 undertow: CVE-2016-2666 CVE-2016-2670
> thx
>
> Moritz Muehlenhoff wrote:
>>
>> There's no other reference that what Red Hat published here:
>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666
>
> Also:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670
I requested more information at
https://issues.jboss.org/browse/UNDERTOW-1094
[signature.asc (application/pgp-signature, attachment)]
Changed Bug title to 'undertow: CVE-2017-2666 CVE-2017-2670' from 'undertow: CVE-2016-2666 CVE-2016-2670'.
Request was from Markus Koschany <apo@debian.org>
to control@bugs.debian.org
.
(Thu, 08 Jun 2017 07:45:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#864405
; Package src:undertow
.
(Tue, 13 Jun 2017 20:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Tue, 13 Jun 2017 20:03:03 GMT) (full text, mbox, link).
Message #24 received at 864405@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 moreinfo
On Thu, 8 Jun 2017 09:40:02 +0200 Markus Koschany <apo@debian.org> wrote:
> Am 08.06.2017 um 09:01 schrieb Moritz Mühlenhoff:
> > retitle 864405 undertow: CVE-2016-2666 CVE-2016-2670
> > thx
> >
> > Moritz Muehlenhoff wrote:
> >>
> >> There's no other reference that what Red Hat published here:
> >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666
> >
> > Also:
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670
>
> I requested more information at
>
> https://issues.jboss.org/browse/UNDERTOW-1094
I have also replied to the CVE-2017-2670 bug report in Red Hat's bug
tracker but haven't got an answer yet.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670
According to the same bug report the vulnerable code is at
https://github.com/undertow-io/undertow/blob/1.4.12.Final/core/src/main/java/io/undertow/server/protocol/framed/AbstractFramedStreamSourceChannel.java#L288
Usually I would expect that there is a recent change but this particular
file has not been updated since September 2016.
At the moment I have not enough information to assess the severity of
these CVE and cannot fix them.
Markus
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) moreinfo.
Request was from Markus Koschany <apo@debian.org>
to 864405-submit@bugs.debian.org
.
(Tue, 13 Jun 2017 20:03:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#864405
; Package src:undertow
.
(Thu, 29 Jun 2017 15:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Thu, 29 Jun 2017 15:45:03 GMT) (full text, mbox, link).
Message #31 received at 864405@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 -moreinfo
Control: tags -1 pending
Upstream communication was not really great but I believe the issue was
fixed in 1.4.17.
CVE-2017-2666: https://issues.jboss.org/browse/UNDERTOW-1101
Fixing commit:
https://github.com/undertow-io/undertow/commit/1e72647818c9fb31b693a953b1ae595a6c82eb7f
CVE-2017-2670: https://issues.jboss.org/browse/UNDERTOW-1035
Fixing commit:
https://github.com/undertow-io/undertow/commit/9bfe9fbbb595d51157b61693f072895f7dbadd1d
Upload is pending.
Markus
[signature.asc (application/pgp-signature, attachment)]
Removed tag(s) moreinfo.
Request was from Markus Koschany <apo@debian.org>
to 864405-submit@bugs.debian.org
.
(Thu, 29 Jun 2017 15:45:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Markus Koschany <apo@debian.org>
to 864405-submit@bugs.debian.org
.
(Thu, 29 Jun 2017 15:45:04 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>
:
You have taken responsibility.
(Thu, 29 Jun 2017 16:39:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Thu, 29 Jun 2017 16:39:10 GMT) (full text, mbox, link).
Message #40 received at 864405-close@bugs.debian.org (full text, mbox, reply):
Source: undertow
Source-Version: 1.4.18-1
We believe that the bug you reported is fixed in the latest version of
undertow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864405@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated undertow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 29 Jun 2017 18:05:28 +0200
Source: undertow
Binary: libundertow-java libundertow-java-doc
Architecture: source
Version: 1.4.18-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libundertow-java - flexible performant web server written in Java
libundertow-java-doc - Documentation for Undertow
Closes: 864405
Changes:
undertow (1.4.18-1) unstable; urgency=medium
.
* New upstream version 1.4.18.
- Fixes CVE-2017-2666 and CVE-2017-2670. (Closes: #864405)
* Declare compliance with Debian Policy 4.0.0.
* Use https for Format field.
* Ignore zanata-maven-plugin.
* Ignore karaf submodule.
* Add libmaven-bundle-plugin-java to B-D.
* Remove lintian-overrides file.
Checksums-Sha1:
204dcb3f4f092264294e563a11a7a4c646da0acd 2730 undertow_1.4.18-1.dsc
52435876e13ed57d0e67848a08e25658031bff8c 725100 undertow_1.4.18.orig.tar.xz
c9937efd91b5dfd4eb49d7056b50162f5adbca3b 6324 undertow_1.4.18-1.debian.tar.xz
af5ee7e4e0176bdf423d3cb147bfde2a22a5cb9e 16278 undertow_1.4.18-1_amd64.buildinfo
Checksums-Sha256:
863c9c94603337155cea05979a08e0913c3ee60c732b9cc0bd29b126e72fc466 2730 undertow_1.4.18-1.dsc
82d71e8fd8698df66bf38a96fd2f6c1396dab181f3d8fe5fe9b7676d2f10edf7 725100 undertow_1.4.18.orig.tar.xz
e1be1f288b0ae6767d2402929f4efc29e153473cc6fd09615079bd76aad6503a 6324 undertow_1.4.18-1.debian.tar.xz
5819e5759a8a8459e0d726188c8f8af0db738d1d775a3b7082d9e7c4ea959b2c 16278 undertow_1.4.18-1_amd64.buildinfo
Files:
f7d36380129641a85f3e447d53808d21 2730 java optional undertow_1.4.18-1.dsc
d4b15e50692af2e9c0b112a90a622d52 725100 java optional undertow_1.4.18.orig.tar.xz
3cba573ead712fda189606c95b59e35f 6324 java optional undertow_1.4.18-1.debian.tar.xz
6d1cf0c2785e59a0866236b4d58ae785 16278 java optional undertow_1.4.18-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAllVKJZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HknB8P/A+AIlWOEU+btRWf6dQ/o6PEjikn2U2pAgtT
SsHuF0e+zvq2rQrJm7jb55qMPbA+e+esCk1PM9YLAtlH0cEZJWjUbGORgZJPKYr6
oQGO6idxy04vk0m5kTy8raziGysNTE8h9OLFcPD8dY8b+75MfMo++m9qx7JqjkZj
GslMNG32xi5eGslw8J5dh5zUGdsH2dnTIJXQc9hnPnjt17mmoBaYmhL0qA01ZQUy
sz4EO4UVO9uR/b3XizEV4bAbBfWS92w6FQEBYEabQdL2qZ9yzZP8yyA21EFSGc2i
EWv1FzVJubZkXCKb5yG+ZVRffydiPvlqEws6xMsZtvMMllLMtuRsynmCzFYGtugA
Osjz8blbUshyoMBYpY+yW5v+tJHSnua/70du1D8hfe0iISuNqbQXnapPgu0RBRvo
ALJ1H365L9hXLPX83CKYYFmbSB0juNl3p0MBU/tbxgJ33Rkz4vhbPP1gJDUdXxqB
b8k78zxWRDJLDlaUbZU69h0Sze78YR/fUCOKJOVDhrDjKKja9MCIbld0RjOaNzsa
3w7Uib9GKRN3hbtGU93qi/8Qx19u8EAu+39y9NHZ6WMZzCjFnouet/tdbyX9hF91
0uaioeWvENjHBOELJIEgLOH2zIakotcHUdta6sF0jn7+oN0H0UmicU6pnUoA8iXZ
rhulK4Kq
=C7/u
-----END PGP SIGNATURE-----
Marked as found in versions undertow/1.4.8-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 29 Jun 2017 17:09:07 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>
:
You have taken responsibility.
(Sat, 15 Jul 2017 21:51:27 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Sat, 15 Jul 2017 21:51:27 GMT) (full text, mbox, link).
Message #47 received at 864405-close@bugs.debian.org (full text, mbox, reply):
Source: undertow
Source-Version: 1.4.8-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
undertow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864405@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated undertow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 11 Jul 2017 13:37:02 +0200
Source: undertow
Binary: libundertow-java libundertow-java-doc
Architecture: source all
Version: 1.4.8-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libundertow-java - flexible performant web server written in Java
libundertow-java-doc - Documentation for Undertow
Closes: 864405
Changes:
undertow (1.4.8-1+deb9u1) stretch-security; urgency=high
.
* Fix CVE-2017-2666 and CVE-2017-2670:
- CVE-2017-2666:
Prevent HTTP smuggling attacks by making sure messages do not contain
invalid headers.
- CVE-2017-2670:
Fix possible DoS attack. The websocket non clean close can cause IO
thread to get stuck in a loop.
(Closes: #864405)
Checksums-Sha1:
2e16ab23debb026f9505b17a43b855e5937a6301 2725 undertow_1.4.8-1+deb9u1.dsc
f6ed2e1985dfcae6be76a73e1539b2be045ec1b1 706084 undertow_1.4.8.orig.tar.xz
145fdbd28398628c00b1683fded4c4d2b5406908 12456 undertow_1.4.8-1+deb9u1.debian.tar.xz
f569d4832a090eb538d07354e819a5f6f8627ea4 1091152 libundertow-java-doc_1.4.8-1+deb9u1_all.deb
0b7654c3b6b362c33165a8714d2aa9f51636dfee 2464116 libundertow-java_1.4.8-1+deb9u1_all.deb
776ffa8299092170231651982f8d179f9e4621db 17258 undertow_1.4.8-1+deb9u1_all.buildinfo
Checksums-Sha256:
634faf38edc0c8a3a7958e2b1f264e6a8eef707e536c76cbed1231815c03c3a2 2725 undertow_1.4.8-1+deb9u1.dsc
e8da6d0bbe8de5c98121579a9c66a3a5dbf78c658cc8d49918f979bcf4d4bc76 706084 undertow_1.4.8.orig.tar.xz
107ed21a1f69440dac6aa902f53e647828e6a0f833e20876448b53b1d48e9cb3 12456 undertow_1.4.8-1+deb9u1.debian.tar.xz
3614af195f068ad779558d66e1dcef61672cbc593fe6bb7130c1a31b434e82ee 1091152 libundertow-java-doc_1.4.8-1+deb9u1_all.deb
c356cf9a6ab9bda52798de0ef9f4cc95c933956092662eec79ff80864d58ad67 2464116 libundertow-java_1.4.8-1+deb9u1_all.deb
1eab1782ea0588244aa8e789751ffc2c211fe68e6f3fd056de27217bea75a74a 17258 undertow_1.4.8-1+deb9u1_all.buildinfo
Files:
068ef2a306342656ab3dddee8baed18c 2725 java optional undertow_1.4.8-1+deb9u1.dsc
0cb50df7c574f61b30572db230e4c88f 706084 java optional undertow_1.4.8.orig.tar.xz
95f4fbe5413ec5a05b016e73499023c8 12456 java optional undertow_1.4.8-1+deb9u1.debian.tar.xz
10d72657e8f0473c5920341b8a9d6dbc 1091152 doc optional libundertow-java-doc_1.4.8-1+deb9u1_all.deb
181f644457c6f2eb08ae5006504f0c17 2464116 java optional libundertow-java_1.4.8-1+deb9u1_all.deb
1a6ba70eff79e6795dc8507e19554213 17258 java optional undertow_1.4.8-1+deb9u1_all.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAllk9zVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk27YP/RhEaMC0sHLyo60lISJZ+QJFeXCo1GurjHdh
6RiUFigOF7zutRttckST61gAYy9zmR6UWGANJgBQ50gV3w3TgIk+zIT9kBQlRjaU
2prhevZsGLImxc5wot+b/g3ND8N2/RBjZc2AUke23+urA50d0VA3mwdg3sZQVCeV
2HCAdLOelI6ZdSuWq6sUNEVIA8e86tefz1WYiAywyqH969/qT4vb+Sq4o/EfVy6z
awZzKwV/OT51G4NncTQHw19RjjITP7yqlIaY1AfiWa7tWEMfw/+M/6NLKgjKbX/I
Z/W8kji1s1fD91elyOi0PFNMxO1j2YGuOzsAQmf+5SzT2JLcWrMbhzBmlcFFTz7M
AtdNNrhpbvyxt+RVgVVvRmMdejQuDtqwCNMMcDtMNUjfJFeqe0uKXfb+yoDfOq2c
fhqPK0mJggb4LrZ5v1hzpU2Lh+i7D/qnLtlsMKjU3DAHRip0Fio50lAaRiZzgFqt
Opk+CvBHU3UeCK5PyY1Xoso9pSaiUmGAoQJUS82Ca9LqJvcrCsPMmNdlSqsmAaJm
JoTdDf7hkjhJSfxPSMIgjaqHRqeak6IrpmKkTU2Y4kA1B61cOIj3KJdal4r2Jmac
HwK5jJacF+oBAPkTxM8seMkAG8lNXpouAkR3+5tzE3LRqNZJlo5YD7ohp+FV4yB9
3k1dIkoE
=Qspr
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 13 Aug 2017 07:24:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:44:42 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.