resteasy: CVE-2017-7561: Vary header not added by CORS filter leading to cache poisoning

Debian Bug report logs - #873392
resteasy: CVE-2017-7561: Vary header not added by CORS filter leading to cache poisoning

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: resteasy: CVE-2017-7561: Vary header not added by CORS filter leading to cache poisoning

Date: Sun, 27 Aug 2017 14:34:02 +0200

Source: resteasy
Version: 3.1.0-2
Severity: important
Tags: security upstream
Forwarded: https://issues.jboss.org/projects/RESTEASY/issues/RESTEASY-1704

Hi,

the following vulnerability was published for resteasy.

CVE-2017-7561[0]:
Vary header not added by CORS filter leading to cache poisoning

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7561
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7561
[1] https://issues.jboss.org/projects/RESTEASY/issues/RESTEASY-1704

Regards,
Salvatore

Message #12 received at 873392-close@bugs.debian.org (full text, mbox, reply):

From: Timo Aaltonen <tjaalton@debian.org>

To: 873392-close@bugs.debian.org

Subject: Bug#873392: fixed in resteasy 3.6.2-1

Date: Tue, 04 Dec 2018 16:13:40 +0000

Source: resteasy
Source-Version: 3.6.2-1

We believe that the bug you reported is fixed in the latest version of
resteasy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated resteasy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 04 Dec 2018 17:12:38 +0200
Source: resteasy
Binary: libresteasy-java
Architecture: source
Version: 3.6.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Description:
 libresteasy-java - RESTEasy -- Framework for RESTful Web services and Java applicati
Closes: 873392 888081
Changes:
 resteasy (3.6.2-1) unstable; urgency=medium
 .
   * New upstream release. (Closes: #888081)
     - CVE-2017-7561 (Closes: #873392)
     - Refresh the patch
     - Update Maven rules
     - Add libreactive-streams-java to build-depends
     - Add libgeronimo-validation-1.1-spec-java to build-depends
   * poms: Ignore client-jetty, client-microprofile.
   * maven.rules: Updated.
   * control, jaxb-api-compatibility.diff: Fix build, add libjaxb-api-
     java to build-depends.
   * control: Add libhttpasyncclient-java to build-depends.
   * libresteasy-java.poms: Ignore some poms.
   * maven.ignoreRules: Ignore jetty-client.
   * control: Update VCS urls.
   * control: Add libjsonp-java to build-depends.
Checksums-Sha1:
 28a9391d2b06e405db8b17deaac4f4db77baf938 2414 resteasy_3.6.2-1.dsc
 9e7c3833dfe2398a36f6b0f9f7f07f96876af13a 7928459 resteasy_3.6.2.orig.tar.gz
 e198a7bea4c867d72752d4719efcd983c7ff92ed 6404 resteasy_3.6.2-1.debian.tar.xz
 448f028f689829198971781da629e484e55cbe77 6045 resteasy_3.6.2-1_source.buildinfo
Checksums-Sha256:
 4952290c1bbc1bf4a1db65517f2b2385bf449eba20d40a3994c4931fec91ae80 2414 resteasy_3.6.2-1.dsc
 9cda8b13795ff3aa6474ec7390b8965157cbbefc94d6498e01830bb5e770007e 7928459 resteasy_3.6.2.orig.tar.gz
 0133e6365a2d6309d3cbc5f6269dc3714745d569678a4a7d716c91024d51a3f3 6404 resteasy_3.6.2-1.debian.tar.xz
 f0a8bb04bce9594b24c362e37d16e727c885e6eb92f3e6d132b93c528a0bd0e3 6045 resteasy_3.6.2-1_source.buildinfo
Files:
 91dc4b0a1ac1bb65492aefce141b4e52 2414 java optional resteasy_3.6.2-1.dsc
 9fffab9865a09dad0c373c042bcc539d 7928459 java optional resteasy_3.6.2.orig.tar.gz
 6651993e3bab624ef9df6c9b45463a25 6404 java optional resteasy_3.6.2-1.debian.tar.xz
 e0c378ca9a3328a74b15e37d1e82cc4c 6045 java optional resteasy_3.6.2-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAlwGmfUACgkQy3AxZaiJ
hNx42xAAkaM1epoaTDP8vXhAY09yW5UbDEEYSw11ZBjefayewzp+JxtipLSWgw/p
uhbt2o7WY114/JydVs6PzhNisRqd84XCQuOP+m1ZHDGyQbBqdXClGIrbx9ambmhW
eGoi80/qw+jbDCBCq8jQzv0HNTzEBw0AwhnIi7KTTvghMmJWRfA2dP+HLo+8WRut
IRcojtUDo3zLmbxbGypwOhU5sZqumvw5/Nc4LnFYvpO2hfz9yr9voGqm3Rp9n6PL
eCeM6IongveOy5+Tu1EhfE4qfChh4aRZTdfFO7dut6Kb7fMbKdw1VU8xF36TuC84
clALhFNvWJ0I36xdkhCcA0Y2J7CFX3ssuj9v/5dDVCL3mXwVtIQ50JAupfFXNWFo
esBqgI5CC6E2Ffex43Id7XcYVyxYHtzWOtJ/0blL3pzaOqJiIbN+mfFIvgoi82DB
1UEb13oHRLTRNnJCot4lw7lww00WSlkRfFxkvuznx6NOp7gAoVN/atIPD6EOi/IT
fYLskBj01Zwf4/uWK6OWnkHU7TJ6UcY2Ujdvk2ReDhH8cSGnvujXMHKUkDf4QUEA
Hz0FFO9VwXRtHePQsZliqRUoM+24X8B2+QFty7C68aCOPI9vGuE+KldAaCkGCN8n
F47P1hKjxBAWJF4PyOiBdplrQ7KiBDMsVSLN1fNgaRQXumh6NBM=
=gv67
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.