Debian Bug report logs -
#838600
undertow: CVE-2016-7046: Long URL proxy request lead to java.nio.BufferOverflowException and DoS
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 22 Sep 2016 20:03:01 UTC
Severity: important
Tags: security, upstream
Found in version undertow/1.4.1-1
Fixed in version undertow/1.4.3-1
Done: Markus Koschany <apo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#838600; Package src:undertow.
(Thu, 22 Sep 2016 20:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 22 Sep 2016 20:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: undertow
Version: 1.4.1-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for undertow.
CVE-2016-7046[0]:
Long URL proxy request lead to java.nio.BufferOverflowException and DoS
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-7046
Regards,
Salvatore
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Fri, 23 Sep 2016 18:24:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 23 Sep 2016 18:24:04 GMT) (full text, mbox, link).
Message #10 received at 838600-close@bugs.debian.org (full text, mbox, reply):
Source: undertow
Source-Version: 1.4.3-1
We believe that the bug you reported is fixed in the latest version of
undertow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 838600@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated undertow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 23 Sep 2016 19:18:11 +0200
Source: undertow
Binary: libundertow-java libundertow-java-doc
Architecture: source
Version: 1.4.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libundertow-java - flexible performant web server written in Java
libundertow-java-doc - Documentation for Undertow
Closes: 838600
Changes:
undertow (1.4.3-1) unstable; urgency=medium
.
* New upstream version 1.4.3.
- Fixes CVE-2016-7046. (Closes: #838600)
Thanks to Salvatore Bonaccorso for the report.
* Switch to compat level 10.
* debian/watch: Use version=4.
Checksums-Sha1:
5550e9e97a6c4a21e319554b8f35350d1d41e4b1 2665 undertow_1.4.3-1.dsc
ec6612a15caaaed566bdb27e69121af1c0e7506e 698272 undertow_1.4.3.orig.tar.xz
576b65a0f8b522f2bd4ec9a6dd67a1606b46e2aa 6208 undertow_1.4.3-1.debian.tar.xz
Checksums-Sha256:
916d2a03f9237d6bee34d50c01349e60428302233d84db54b635e39bb7c8b9e9 2665 undertow_1.4.3-1.dsc
2ce6df50fc4041f4fe67246958afed9734d1d606d34e262f9aab41f4f59a817b 698272 undertow_1.4.3.orig.tar.xz
2d078b5625ee0e4c443442feae40af20e21d060500c34ce21ae468c995454abc 6208 undertow_1.4.3-1.debian.tar.xz
Files:
05916759950cad50beba8c9d01dafe24 2665 java optional undertow_1.4.3-1.dsc
9649d6c3e8bdec0756ab6e34ac58454f 698272 java optional undertow_1.4.3.orig.tar.xz
8534d0ef04547c0766f7c44e3376e8a1 6208 java optional undertow_1.4.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKMBAEBCgB2BQJX5Wc8XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0DxxhcG9AZGViaWFuLm9yZwAKCRDZrRS5UTtR5Hy9D/4t
9giaB8TaQHOnIeL5bC0Rv3I9LhNVb6qdWNsr0Qy0E1u71uFH86IbZbmYpbJSdZKT
x4PheRJViN+nUZjCPNNKuVv95OmFcyOvLtKIo/QfrlnZI90AtEv8Yj0MCsnD2ZcT
oi195zoS/k9QFwegmiB7z7tgUROVcVzsehv1dIfT7DgHNcmvXqvpJq24sZC2GIMi
h7tORoQjMMK7es2T07N8y5SbxaHN0CazjFhIoemk1jRSiUzodmIuvHARlnSMKl05
8tb6YmHwQakmUPt7DaNlYsYtUB0dvAswOUanSHso3Ip8S4zZPqHH4fdkQFWLUpR5
3u9DbVsvXTGvr8lgrNNoMTpLPnOdqPK9x4IjFxBhDcTfGpKws2mORn66CO0GI08H
1R6sitxcqntwUTRBOXqyZ0QfG1CXXeHwRtLIz7dz3/bu7208YEtDAwmefPAaqDsH
Je9ep5qdEX/PlhRAkCNCE/361idzy3nQ5wXAnopYwwlUHPpWW8nCj9zF8ymYYmw3
9C937eW8i8JZzw5KE9cIW+lRREa8ZCJM6jISgjuNVNUmmk0DfbpZ9UBBFZqrCDex
kBZJRLAoW7PYd3FIRLQ48rMVL1HaRtwFuV+SPhM2xLUNMUZ1+jWhRtVKyLH27bSr
LQq2koEQvg8hGBq15euZz1syzxkYT0hnHhoJAk7wwA==
=yu0i
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 27 Oct 2016 07:24:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:28:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon