Control: tags -1 moreinfo On Thu, 8 Jun 2017 09:40:02 +0200 Markus Koschany <a...@debian.org> wrote: > Am 08.06.2017 um 09:01 schrieb Moritz MÃ¼hlenhoff: > > retitle 864405 undertow: CVE-2016-2666 CVE-2016-2670 > > thx > > > > Moritz Muehlenhoff wrote: > >> > >> There's no other reference that what Red Hat published here: > >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666 > > > > Also: > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670 > > I requested more information at > > https://issues.jboss.org/browse/UNDERTOW-1094
I have also replied to the CVE-2017-2670 bug report in Red Hat's bug tracker but haven't got an answer yet. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670 According to the same bug report the vulnerable code is at https://github.com/undertow-io/undertow/blob/1.4.12.Final/core/src/main/java/io/undertow/server/protocol/framed/AbstractFramedStreamSourceChannel.java#L288 Usually I would expect that there is a recent change but this particular file has not been updated since September 2016. At the moment I have not enough information to assess the severity of these CVE and cannot fix them. Markus
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.