Your message dated Sun, 6 May 2018 21:38:09 +0200
with message-id <91171867-7d8b-c53d-14c9-223822ec9...@debian.org>
and subject line Re: CVE-2018-1048: ALLOW_ENCODED_SLASH option not taken into
account in the AjpRequestParser
has caused the Debian Bug report #891928,
regarding CVE-2018-1048: ALLOW_ENCODED_SLASH option not taken into account in
the AjpRequestParser
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
891928: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891928
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: undertow
Version: 1.4.8-1+deb9u1
Severity: grave
Tags: security
Forwarded: https://issues.jboss.org/browse/UNDERTOW-1245
It was found that the AJP connector in undertow, as shipped in Jboss
EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus
allow the the slash / anti-slash characters encoded in the url which
may lead to path traversal and result in the information disclosure of
arbitrary local files.
Upstream bug:
https://issues.jboss.org/browse/UNDERTOW-1245
This was apparently fixed in 1.4.22.
--- End Message ---
--- Begin Message ---
I am going to close this bug report because CVE-2018-1048 will not be
fixed in Stretch. As discussed with the security team the package will
be removed instead.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
