Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 0c2ef367 by Salvatore Bonaccorso at 2018-05-08T14:45:40+02:00 Mark undertow as no-dsa, will be removed at point release - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -26280,6 +26280,7 @@ CVE-2018-1115 CVE-2018-1114 [File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service] RESERVED - undertow 1.4.25-1 (bug #897247) + [stretch] - undertow <no-dsa> (Scheduled for removal on point release) NOTE: https://issues.jboss.org/browse/UNDERTOW-1338 NOTE: https://github.com/undertow-io/undertow/commit/882d5884f2614944a0c2ae69bafd9d13bfc5b64a NOTE: https://bugs.openjdk.java.net/browse/JDK-6956385 @@ -26613,6 +26614,7 @@ CVE-2018-1049 (In systemd prior to 234 a race condition exists between .mount an NOTE: https://github.com/systemd/systemd/commit/e7d54bf58789545a9eb0b3964233defa0b007318 CVE-2018-1048 (It was found that the AJP connector in undertow, as shipped in Jboss ...) - undertow 1.4.22-1 (bug #891928) + [stretch] - undertow <no-dsa> (Scheduled for removal on point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1534343 NOTE: https://issues.jboss.org/browse/UNDERTOW-1245 NOTE: Fixed by https://github.com/undertow-io/undertow/commit/1bc0c275aadf5835abfbd3835d5d78095c2f1cf5 @@ -44345,6 +44347,7 @@ CVE-2017-12197 (It was found that libpam4j up to and including 1.8 did not prope NOTE: (Non-upstream) patch: https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d CVE-2017-12196 (undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was ...) - undertow 1.4.25-1 + [stretch] - undertow <no-dsa> (Scheduled for removal on point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1503055 NOTE: Fixed by https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870 NOTE: See also https://github.com/undertow-io/undertow/commit/8804170ce3186bdd83b486959399ec7ac0f59d0f @@ -44492,6 +44495,7 @@ CVE-2017-12166 (OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnera CVE-2017-12165 [improper whitespace parsing leading to potential HTTP request smuggling] RESERVED - undertow <unfixed> (bug #885338) + [stretch] - undertow <no-dsa> (Scheduled for removal on point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1490301 NOTE: Fix likely included in the same commit as the fix for CVE-2017-7559 NOTE: https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2 @@ -58579,6 +58583,7 @@ CVE-2017-7560 (It was found that rhnsd PID files are created as world-writable t NOTE: Introduced by: https://github.com/spacewalkproject/spacewalk/commit/75d9c00b96ab430221c5c7668baebebc74ddd67e CVE-2017-7559 (In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and ...) - undertow 1.4.23-1 (bug #885576) + [stretch] - undertow <no-dsa> (Scheduled for removal on point release) NOTE: CVE is for an incomplete fix of CVE-2017-2666 NOTE: Invalid characters were still allowed in the query string and path parameters. NOTE: https://issues.jboss.org/browse/UNDERTOW-1165 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0c2ef367fecf07780ea70d081c45185c05e30d67 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0c2ef367fecf07780ea70d081c45185c05e30d67 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits