Processed: Re: Bug#864405: CVE-2016-2666

2017-06-29 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 -moreinfo
Bug #864405 [src:undertow] undertow: CVE-2017-2666 CVE-2017-2670
Removed tag(s) moreinfo.
> tags -1 pending
Bug #864405 [src:undertow] undertow: CVE-2017-2666 CVE-2017-2670
Added tag(s) pending.

-- 
864405: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864405
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#864405: CVE-2016-2666

2017-06-29 Thread Markus Koschany 
Control: tags -1 -moreinfo
Control: tags -1 pending

Upstream communication was not really great but I believe the issue was
fixed in 1.4.17.

CVE-2017-2666: https://issues.jboss.org/browse/UNDERTOW-1101
Fixing commit:
https://github.com/undertow-io/undertow/commit/1e72647818c9fb31b693a953b1ae595a6c82eb7f

CVE-2017-2670: https://issues.jboss.org/browse/UNDERTOW-1035
Fixing commit:
https://github.com/undertow-io/undertow/commit/9bfe9fbbb595d51157b61693f072895f7dbadd1d

Upload is pending.

Markus



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#864405: CVE-2016-2666

2017-06-13 Thread Markus Koschany 
Control: tags -1 moreinfo

On Thu, 8 Jun 2017 09:40:02 +0200 Markus Koschany  wrote:
> Am 08.06.2017 um 09:01 schrieb Moritz Mühlenhoff:
> > retitle 864405 undertow: CVE-2016-2666 CVE-2016-2670
> > thx
> > 
> > Moritz Muehlenhoff wrote:
> >>
> >> There's no other reference that what Red Hat published here:
> >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666
> > 
> > Also:
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670
> 
> I requested more information at
> 
> https://issues.jboss.org/browse/UNDERTOW-1094

I have also replied to the CVE-2017-2670 bug report in Red Hat's bug
tracker but haven't got an answer yet.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670

According to the same bug report the vulnerable code is at

https://github.com/undertow-io/undertow/blob/1.4.12.Final/core/src/main/java/io/undertow/server/protocol/framed/AbstractFramedStreamSourceChannel.java#L288

Usually I would expect that there is a recent change but this particular
file has not been updated since September 2016.

At the moment I have not enough information to assess the severity of
these CVE and cannot fix them.

Markus




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Re: Bug#864405: CVE-2016-2666

2017-06-13 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 moreinfo
Bug #864405 [src:undertow] undertow: CVE-2017-2666 CVE-2017-2670
Added tag(s) moreinfo.

-- 
864405: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864405
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#864405: CVE-2016-2666

2017-06-08 Thread Markus Koschany 
Am 08.06.2017 um 09:01 schrieb Moritz Mühlenhoff:
> retitle 864405 undertow: CVE-2016-2666 CVE-2016-2670
> thx
> 
> Moritz Muehlenhoff wrote:
>>
>> There's no other reference that what Red Hat published here:
>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666
> 
> Also:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670

I requested more information at

https://issues.jboss.org/browse/UNDERTOW-1094






signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#864405: CVE-2016-2666

2017-06-08 Thread Moritz Mühlenhoff 
retitle 864405 undertow: CVE-2016-2666 CVE-2016-2670
thx

Moritz Muehlenhoff wrote:
> 
> There's no other reference that what Red Hat published here:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666

Also:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670
 
Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#864405: CVE-2016-2666

2017-06-08 Thread Moritz Muehlenhoff 
Source: undertow
Severity: grave
Tags: security

There's no other reference that what Red Hat published here:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666

Upstream needs to be contacted or the patch pulled from their
update.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.