Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0c2ef367 by Salvatore Bonaccorso at 2018-05-08T14:45:40+02:00
Mark undertow as no-dsa, will be removed at point release
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -26280,6 +26280,7 @@ CVE-2018-1115
CVE-2018-1114 [File descriptor leak caused by
JarURLConnection.getLastModified() allows attacker to cause a denial of service]
RESERVED
- undertow 1.4.25-1 (bug #897247)
+ [stretch] - undertow <no-dsa> (Scheduled for removal on point release)
NOTE: https://issues.jboss.org/browse/UNDERTOW-1338
NOTE:
https://github.com/undertow-io/undertow/commit/882d5884f2614944a0c2ae69bafd9d13bfc5b64a
NOTE: https://bugs.openjdk.java.net/browse/JDK-6956385
@@ -26613,6 +26614,7 @@ CVE-2018-1049 (In systemd prior to 234 a race condition
exists between .mount an
NOTE:
https://github.com/systemd/systemd/commit/e7d54bf58789545a9eb0b3964233defa0b007318
CVE-2018-1048 (It was found that the AJP connector in undertow, as shipped in
Jboss ...)
- undertow 1.4.22-1 (bug #891928)
+ [stretch] - undertow <no-dsa> (Scheduled for removal on point release)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1534343
NOTE: https://issues.jboss.org/browse/UNDERTOW-1245
NOTE: Fixed by
https://github.com/undertow-io/undertow/commit/1bc0c275aadf5835abfbd3835d5d78095c2f1cf5
@@ -44345,6 +44347,7 @@ CVE-2017-12197 (It was found that libpam4j up to and
including 1.8 did not prope
NOTE: (Non-upstream) patch:
https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d
CVE-2017-12196 (undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final
was ...)
- undertow 1.4.25-1
+ [stretch] - undertow <no-dsa> (Scheduled for removal on point release)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1503055
NOTE: Fixed by
https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870
NOTE: See also
https://github.com/undertow-io/undertow/commit/8804170ce3186bdd83b486959399ec7ac0f59d0f
@@ -44492,6 +44495,7 @@ CVE-2017-12166 (OpenVPN versions before 2.3.3 and 2.4.x
before 2.4.4 are vulnera
CVE-2017-12165 [improper whitespace parsing leading to potential HTTP request
smuggling]
RESERVED
- undertow <unfixed> (bug #885338)
+ [stretch] - undertow <no-dsa> (Scheduled for removal on point release)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1490301
NOTE: Fix likely included in the same commit as the fix for
CVE-2017-7559
NOTE:
https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2
@@ -58579,6 +58583,7 @@ CVE-2017-7560 (It was found that rhnsd PID files are
created as world-writable t
NOTE: Introduced by:
https://github.com/spacewalkproject/spacewalk/commit/75d9c00b96ab430221c5c7668baebebc74ddd67e
CVE-2017-7559 (In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final,
and ...)
- undertow 1.4.23-1 (bug #885576)
+ [stretch] - undertow <no-dsa> (Scheduled for removal on point release)
NOTE: CVE is for an incomplete fix of CVE-2017-2666
NOTE: Invalid characters were still allowed in the query string and
path parameters.
NOTE: https://issues.jboss.org/browse/UNDERTOW-1165
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0c2ef367fecf07780ea70d081c45185c05e30d67
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0c2ef367fecf07780ea70d081c45185c05e30d67
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
