Bug#1059055: marked as done (undertow: CVE-2023-5379)

[Debian Bug Tracking System]

Your message dated Sun, 26 Oct 2025 20:38:38 +0100
with message-id <9deb154ef5bc9410b666d3cb00e0658a4b4bc27f.ca...@debian.org>
and subject line Re: undertow: CVE-2023-5379
has caused the Debian Bug report #1059055,
regarding undertow: CVE-2023-5379
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1059055: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059055
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: undertow
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for undertow.

CVE-2023-5379[0]:
| A flaw was found in Undertow. When an AJP request is sent that
| exceeds the max-header-size attribute in ajp-listener, JBoss EAP is
| marked in an error state by mod_cluster in httpd, causing JBoss EAP
| to close the TCP connection without returning an AJP response. This
| happens because mod_proxy_cluster marks the JBoss EAP instance as an
| error worker when the TCP connection is closed from the backend
| after sending the AJP request without receiving an AJP response, and
| stops forwarding. This issue could allow a malicious user could to
| repeatedly send requests that exceed the max-header-size, causing a
| Denial of Service (DoS).

Only reference is https://bugzilla.redhat.com/show_bug.cgi?id=2242099
so far.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-5379
    https://www.cve.org/CVERecord?id=CVE-2023-5379

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Version: 2.3.18-1

Fixed by

https://github.com/undertow-io/undertow/pull/1555/commits/b0732610112cb2066b5e43a47a11008edfacee02

in 2.3.12.Final. First version in Debian was 2.3.18-1.

Closing.

signature.asc
Description: This is a digitally signed message part

--- End Message ---

__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
debian-j...@lists.debian.org for discussions and questions.