Your message dated Sun, 06 May 2018 21:00:20 +0000
with message-id <[email protected]>
and subject line Bug#897247: fixed in undertow 1.4.25-1
has caused the Debian Bug report #897247,
regarding undertow: CVE-2018-1114: File descriptor leak caused by
JarURLConnection.getLastModified() allows attacker to cause a denial of service
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
897247: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897247
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: undertow
Version: 1.4.23-3
Severity: important
Tags: patch security upstream
Forwarded: https://issues.jboss.org/browse/UNDERTOW-1338
Hi,
The following vulnerability was published for undertow.
CVE-2018-1114[0]:
|File descriptor leak caused by JarURLConnection.getLastModified()
|allows attacker to cause a denial of service
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1114
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1114
[1] https://issues.jboss.org/browse/UNDERTOW-1338
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: undertow
Source-Version: 1.4.25-1
We believe that the bug you reported is fixed in the latest version of
undertow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated undertow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 May 2018 21:29:28 +0200
Source: undertow
Binary: libundertow-java libundertow-java-doc
Architecture: source
Version: 1.4.25-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Description:
libundertow-java - flexible performant web server written in Java
libundertow-java-doc - Documentation for Undertow
Closes: 897247
Changes:
undertow (1.4.25-1) unstable; urgency=medium
.
* New upstream version 1.4.25
- Fix CVE-2018-1114: File descriptor leak caused by
JarURLConnection.getLastModified() allows attacker to cause a denial of
service. (Closes: #897247)
- Fix CVE-2017-12196: When using Digest authentication the server does not
ensure that the value of URI in the Authorization header matches the URI
in HTTP request line. This allows the attacker to cause a MITM attack and
access the desired content on the server.
* Declare compliance with Debian Policy 4.1.4.
Checksums-Sha1:
9626fbf640d84557c6a3c952b568e6fc3d071317 2754 undertow_1.4.25-1.dsc
10d9205135f8bfc095ecc95de5676466e141fcca 744588 undertow_1.4.25.orig.tar.xz
f3943ec4f76c1c529f9066d832d0c7035fd8b072 7528 undertow_1.4.25-1.debian.tar.xz
bf49bc5e7223bd9ac520ac867bfed034ecedafa1 17738
undertow_1.4.25-1_amd64.buildinfo
Checksums-Sha256:
facfa86844e8da9544f6e9deee6240493788c75e77f9fda477b6c3d8c0621b4b 2754
undertow_1.4.25-1.dsc
eccabc5973944010a15d2a4ec16a3a948c8cf75496d6da9013c84c1867d55a5d 744588
undertow_1.4.25.orig.tar.xz
650f26f47cb02a3d806fc9ec45257d85ba0ed1a02b4d3c85c05e2b52fbc0ffa0 7528
undertow_1.4.25-1.debian.tar.xz
4ef0e643cbabd5499d84e5d11b46a585e74a1e4688bd3969825170a2cdae1077 17738
undertow_1.4.25-1_amd64.buildinfo
Files:
e670ecf8ab523e51d19d7654fa76bac7 2754 java optional undertow_1.4.25-1.dsc
91b3a5b29190017f7d119ad409690d3d 744588 java optional
undertow_1.4.25.orig.tar.xz
ef78fc553059accb288dacceda75edf2 7528 java optional
undertow_1.4.25-1.debian.tar.xz
500f45ee38b3fdc6fbf7baf7c07c1c2b 17738 java optional
undertow_1.4.25-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrvW2pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkoYQP/2Bvz84AdDycU11v3r79/odyjY3s4bLHVyq1
/KuuqtNtSxOA0+lHd7h11576hF88FoipwnrPlzvUs7Y4sfezdRSRkFJHKja5kjEW
HpFg/rKBnmnMNsmt+Xd53Omgc8eKP1dxA5sH9525UvzCB3dIN2Q56MGQJkfDzD1J
5ASKdWL2lwehnq05reK/l94s5nc3jGOyfb3aZ88mRyw7KMH4LKI/g+1TB2jFnZcG
L1mS7zGI41nVD026H8mlTbJWmB6YaVeIkOa332juvDzSsJonbn4GyeGP9wK1nQnw
pJbX8OMk3tUlAaCyiyJqmtiC+TNpUb3rGf6RNQpNOHVnri6X+2NpsuNkw5RFB68s
uc+7p/krVoVV6FkyJuGrPGdNR5s6c3ouikRGmD9SQW9CQp+t0e3xpgbuRLHigYQ8
mSoxtMtdD9ReA+M1E6BcjmmWCiUFIIoqh3EEYwgq1oYZRMPo6hvBOEq+hYW3Cq6m
CtY4cvbigorFsHxpm0XBO0ywwwKG9bzFOL2Wb4nnalINplABqaRyPJb8ljJ1A6HH
nRFAvpNoqK3B2dA0efvvza/k/U1PX3L/k0CyIfTBWgRHO8+QrGtTBv1ciphZEHeG
rdlOhe1f0cW129LUggmSP8EzMEd/QzAl/H/Q3/3LKd970OxRDH868HL4hLXqqKb6
fRYdKZtZ
=O3cH
-----END PGP SIGNATURE-----
--- End Message ---
