I filed upstream bug https://issues.jboss.org/browse/UNDERTOW-1295
and asked for more information about security vulnerabilities in general. The relevant issues are public now: CVE-2017-7559 was addressed in version 1.4.23 or 2.0.1. Since 2.0.1 requires the servlet 4.0 API which is currently not available in Debian I'm opting for 1.4.23. I still need to find the relevant commit to be able to backport the fix to Stretch.
Description: OpenPGP digital signature