Debian Bug report logs -
#885338
CVE-2017-12165
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#885338; Package src:undertow.
(Tue, 26 Dec 2017 12:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 26 Dec 2017 12:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: undertow
Severity: important
Tags: security
The only source here is a report in Red Hat Bugzilla, so might be worth contacting
upstream for additional information:
https://bugzilla.redhat.com/show_bug.cgi?id=1490301
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#885338; Package src:undertow.
(Thu, 28 Dec 2017 17:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 28 Dec 2017 17:57:05 GMT) (full text, mbox, link).
Message #10 received at 885338@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu, 28 Dec 2017 09:55:12 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: undertow
> Severity: important
> Tags: security
>
> Hi,
>
> the following vulnerability was published for undertow.
>
> There is not much information available if that incomplete fix affects
> us as well. Or which this was fixed upstream. I asked for
> clarification in [1], but might you contact directly as well upstream
> about that?
Hi,
I requested more information about the fix for CVE-2017-12165 in Red
Hat's bug tracker. I couldn't find a recent fixing commit in the
upstream Git repository.
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#885338; Package src:undertow.
(Fri, 02 Mar 2018 18:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 02 Mar 2018 18:12:03 GMT) (full text, mbox, link).
Message #15 received at 885338@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: forwarded -1 https://issues.jboss.org/browse/UNDERTOW-1251
It seems this issue is tracked at
https://issues.jboss.org/browse/UNDERTOW-1251
However the bug report appears to be a duplicate of UNDERTOW-1101 which
was CVE-2017-2666 last year. I added a comment and hope that someone can
clarify the situation.
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#885338; Package src:undertow.
(Tue, 08 May 2018 06:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 08 May 2018 06:48:03 GMT) (full text, mbox, link).
Message #22 received at 885338@bugs.debian.org (full text, mbox, reply):
Hi
On Fri, Mar 02, 2018 at 07:09:10PM +0100, Markus Koschany wrote:
> Control: forwarded -1 https://issues.jboss.org/browse/UNDERTOW-1251
>
> It seems this issue is tracked at
>
> https://issues.jboss.org/browse/UNDERTOW-1251
>
> However the bug report appears to be a duplicate of UNDERTOW-1101 which
> was CVE-2017-2666 last year. I added a comment and hope that someone can
> clarify the situation.
Whoops I missed you followuped as well here. I added the following comment, but
it's unverified that my claim is true:
> [...]
> Regarding the CVE-2017-12165 the distinction
> to CVE-2017-7559 is the following, as far I'm parsing the available
> invoformation.
>
> undertow: HTTP Request smuggling vulnerability (incomplete fix of
> CVE-2017-2666) (CVE-2017-7559)
>
> Then OTOH CVE-2017-12165 is
>
> undertow: improper whitespace parsing leading to potential HTTP
> request smuggling (CVE-2017-12165)
>
> so it's in the same class of issues, I have the slight suspect that
> the fix for CVE-2017-7559 (the incomplete fix for CVE-2017-2666
> fix/commit) includes as well a fix for the "improper whitespace
> parsing", but I cannot say for sure. The commit at least adds several
> tests for "testTabInsteadOfSpaceAfterVerb" and whiespaces.
>
> https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 09 Jul 2018 17:31:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:01:16 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon