Processed: Re: Bug#864405: CVE-2016-2666

2017-06-13 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 moreinfo
Bug #864405 [src:undertow] undertow: CVE-2017-2666 CVE-2017-2670
Added tag(s) moreinfo.

-- 
864405: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864405
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#864405: CVE-2016-2666

2017-06-13 Thread Markus Koschany 
Control: tags -1 moreinfo

On Thu, 8 Jun 2017 09:40:02 +0200 Markus Koschany  wrote:
> Am 08.06.2017 um 09:01 schrieb Moritz Mühlenhoff:
> > retitle 864405 undertow: CVE-2016-2666 CVE-2016-2670
> > thx
> > 
> > Moritz Muehlenhoff wrote:
> >>
> >> There's no other reference that what Red Hat published here:
> >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666
> > 
> > Also:
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670
> 
> I requested more information at
> 
> https://issues.jboss.org/browse/UNDERTOW-1094

I have also replied to the CVE-2017-2670 bug report in Red Hat's bug
tracker but haven't got an answer yet.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670

According to the same bug report the vulnerable code is at

https://github.com/undertow-io/undertow/blob/1.4.12.Final/core/src/main/java/io/undertow/server/protocol/framed/AbstractFramedStreamSourceChannel.java#L288

Usually I would expect that there is a recent change but this particular
file has not been updated since September 2016.

At the moment I have not enough information to assess the severity of
these CVE and cannot fix them.

Markus




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

reproducible.debian.net status changes for libhibernate-validator-java

2017-06-13 Thread Reproducible builds folks 
2017-06-13 01:50 
https://tests.reproducible-builds.org/debian/unstable/amd64/libhibernate-validator-java
 changed from reproducible -> unreproducible

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.