Your message dated Sat, 15 Jul 2017 21:48:43 +0000 with message-id <e1dwuvb-000a9r...@fasolo.debian.org> and subject line Bug#864405: fixed in undertow 1.4.8-1+deb9u1 has caused the Debian Bug report #864405, regarding undertow: CVE-2017-2666 CVE-2017-2670 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 864405: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864405 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: undertow Severity: grave Tags: security There's no other reference that what Red Hat published here: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666 Upstream needs to be contacted or the patch pulled from their update. Cheers, Moritz
--- End Message ---
--- Begin Message ---Source: undertow Source-Version: 1.4.8-1+deb9u1 We believe that the bug you reported is fixed in the latest version of undertow, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 864...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated undertow package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 11 Jul 2017 13:37:02 +0200 Source: undertow Binary: libundertow-java libundertow-java-doc Architecture: source all Version: 1.4.8-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libundertow-java - flexible performant web server written in Java libundertow-java-doc - Documentation for Undertow Closes: 864405 Changes: undertow (1.4.8-1+deb9u1) stretch-security; urgency=high . * Fix CVE-2017-2666 and CVE-2017-2670: - CVE-2017-2666: Prevent HTTP smuggling attacks by making sure messages do not contain invalid headers. - CVE-2017-2670: Fix possible DoS attack. The websocket non clean close can cause IO thread to get stuck in a loop. (Closes: #864405) Checksums-Sha1: 2e16ab23debb026f9505b17a43b855e5937a6301 2725 undertow_1.4.8-1+deb9u1.dsc f6ed2e1985dfcae6be76a73e1539b2be045ec1b1 706084 undertow_1.4.8.orig.tar.xz 145fdbd28398628c00b1683fded4c4d2b5406908 12456 undertow_1.4.8-1+deb9u1.debian.tar.xz f569d4832a090eb538d07354e819a5f6f8627ea4 1091152 libundertow-java-doc_1.4.8-1+deb9u1_all.deb 0b7654c3b6b362c33165a8714d2aa9f51636dfee 2464116 libundertow-java_1.4.8-1+deb9u1_all.deb 776ffa8299092170231651982f8d179f9e4621db 17258 undertow_1.4.8-1+deb9u1_all.buildinfo Checksums-Sha256: 634faf38edc0c8a3a7958e2b1f264e6a8eef707e536c76cbed1231815c03c3a2 2725 undertow_1.4.8-1+deb9u1.dsc e8da6d0bbe8de5c98121579a9c66a3a5dbf78c658cc8d49918f979bcf4d4bc76 706084 undertow_1.4.8.orig.tar.xz 107ed21a1f69440dac6aa902f53e647828e6a0f833e20876448b53b1d48e9cb3 12456 undertow_1.4.8-1+deb9u1.debian.tar.xz 3614af195f068ad779558d66e1dcef61672cbc593fe6bb7130c1a31b434e82ee 1091152 libundertow-java-doc_1.4.8-1+deb9u1_all.deb c356cf9a6ab9bda52798de0ef9f4cc95c933956092662eec79ff80864d58ad67 2464116 libundertow-java_1.4.8-1+deb9u1_all.deb 1eab1782ea0588244aa8e789751ffc2c211fe68e6f3fd056de27217bea75a74a 17258 undertow_1.4.8-1+deb9u1_all.buildinfo Files: 068ef2a306342656ab3dddee8baed18c 2725 java optional undertow_1.4.8-1+deb9u1.dsc 0cb50df7c574f61b30572db230e4c88f 706084 java optional undertow_1.4.8.orig.tar.xz 95f4fbe5413ec5a05b016e73499023c8 12456 java optional undertow_1.4.8-1+deb9u1.debian.tar.xz 10d72657e8f0473c5920341b8a9d6dbc 1091152 doc optional libundertow-java-doc_1.4.8-1+deb9u1_all.deb 181f644457c6f2eb08ae5006504f0c17 2464116 java optional libundertow-java_1.4.8-1+deb9u1_all.deb 1a6ba70eff79e6795dc8507e19554213 17258 java optional undertow_1.4.8-1+deb9u1_all.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAllk9zVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk27YP/RhEaMC0sHLyo60lISJZ+QJFeXCo1GurjHdh 6RiUFigOF7zutRttckST61gAYy9zmR6UWGANJgBQ50gV3w3TgIk+zIT9kBQlRjaU 2prhevZsGLImxc5wot+b/g3ND8N2/RBjZc2AUke23+urA50d0VA3mwdg3sZQVCeV 2HCAdLOelI6ZdSuWq6sUNEVIA8e86tefz1WYiAywyqH969/qT4vb+Sq4o/EfVy6z awZzKwV/OT51G4NncTQHw19RjjITP7yqlIaY1AfiWa7tWEMfw/+M/6NLKgjKbX/I Z/W8kji1s1fD91elyOi0PFNMxO1j2YGuOzsAQmf+5SzT2JLcWrMbhzBmlcFFTz7M AtdNNrhpbvyxt+RVgVVvRmMdejQuDtqwCNMMcDtMNUjfJFeqe0uKXfb+yoDfOq2c fhqPK0mJggb4LrZ5v1hzpU2Lh+i7D/qnLtlsMKjU3DAHRip0Fio50lAaRiZzgFqt Opk+CvBHU3UeCK5PyY1Xoso9pSaiUmGAoQJUS82Ca9LqJvcrCsPMmNdlSqsmAaJm JoTdDf7hkjhJSfxPSMIgjaqHRqeak6IrpmKkTU2Y4kA1B61cOIj3KJdal4r2Jmac HwK5jJacF+oBAPkTxM8seMkAG8lNXpouAkR3+5tzE3LRqNZJlo5YD7ohp+FV4yB9 3k1dIkoE =Qspr -----END PGP SIGNATURE-----
--- End Message ---
