Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2018-1067 CVE-2016-4993

Source

Debian Bug report logs - #900323
undertow: CVE-2018-1067: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)

Package: src:undertow; Maintainer for src:undertow is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 29 May 2018 05:18:01 UTC

Severity: important

Tags: security, upstream

Found in version undertow/1.4.3-1

Fixed in version undertow/1.4.25-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://issues.jboss.org/browse/UNDERTOW-1302

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#900323; Package src:undertow. (Tue, 29 May 2018 05:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Tue, 29 May 2018 05:18:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: undertow
Version: 1.4.3-1
Severity: important
Tags: security upstream
Forwarded: https://issues.jboss.org/browse/UNDERTOW-1302

Hi,

The following vulnerability was published for undertow, the original
CVE-2016-4993 fixed via 1.4.3 upstream was incomplete. No fix
available at the time of writing.

CVE-2018-1067[0]:
| In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the
| fix for CVE-2016-4993 was incomplete and Undertow web server is
| vulnerable to the injection of arbitrary HTTP headers, and also
| response splitting, due to insufficient sanitization and validation of
| user input before the input is used as part of an HTTP header value.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1067
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1067
[1] https://issues.jboss.org/browse/UNDERTOW-1302

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#900323; Package src:undertow. (Sun, 03 Jun 2018 19:06:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 03 Jun 2018 19:06:04 GMT) (full text, mbox, link).

Message #10 received at 900323@bugs.debian.org (full text, mbox, reply):

Source: undertow
Source-Version: 1.4.25-1

On Tue, May 29, 2018 at 07:15:33AM +0200, Salvatore Bonaccorso wrote:
> Source: undertow
> Version: 1.4.3-1
> Severity: important
> Tags: security upstream
> Forwarded: https://issues.jboss.org/browse/UNDERTOW-1302
> 
> Hi,
> 
> The following vulnerability was published for undertow, the original
> CVE-2016-4993 fixed via 1.4.3 upstream was incomplete. No fix
> available at the time of writing.
> 
> CVE-2018-1067[0]:
> | In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the
> | fix for CVE-2016-4993 was incomplete and Undertow web server is
> | vulnerable to the injection of arbitrary HTTP headers, and also
> | response splitting, due to insufficient sanitization and validation of
> | user input before the input is used as part of an HTTP header value.

So there is now a bit more information available, and the issue was
already fixed with
https://github.com/undertow-io/undertow/commit/85d4478e598105fe94ac152d3e11e388374e8b86
which is in 1.4.25.Final.

Thus marking the issue as fixed in 1.4.25-1.

Regards,
Salvatore

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sun, 03 Jun 2018 19:06:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 03 Jun 2018 19:06:06 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 02 Jul 2018 07:26:09 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:19:12 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

undertow: CVE-2018-1067: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)

Debian Bug report logs - #900323
undertow: CVE-2018-1067: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)

Vulmon Search

About

Products

Connect

undertow: CVE-2018-1067: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)

Debian Bug report logs - #900323 undertow: CVE-2018-1067: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)

Vulmon Search

About

Products

Connect

Debian Bug report logs - #900323
undertow: CVE-2018-1067: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)