Hi On Fri, Mar 02, 2018 at 07:09:10PM +0100, Markus Koschany wrote: > Control: forwarded -1 https://issues.jboss.org/browse/UNDERTOW-1251 > > It seems this issue is tracked at > > https://issues.jboss.org/browse/UNDERTOW-1251 > > However the bug report appears to be a duplicate of UNDERTOW-1101 which > was CVE-2017-2666 last year. I added a comment and hope that someone can > clarify the situation.
Whoops I missed you followuped as well here. I added the following comment, but it's unverified that my claim is true: > [...] > Regarding the CVE-2017-12165 the distinction > to CVE-2017-7559 is the following, as far I'm parsing the available > invoformation. > > undertow: HTTP Request smuggling vulnerability (incomplete fix of > CVE-2017-2666) (CVE-2017-7559) > > Then OTOH CVE-2017-12165 is > > undertow: improper whitespace parsing leading to potential HTTP > request smuggling (CVE-2017-12165) > > so it's in the same class of issues, I have the slight suspect that > the fix for CVE-2017-7559 (the incomplete fix for CVE-2017-2666 > fix/commit) includes as well a fix for the "improper whitespace > parsing", but I cannot say for sure. The commit at least adds several > tests for "testTabInsteadOfSpaceAfterVerb" and whiespaces. > > https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2 Regards, Salvatore
