Source: undertow Source-Version: 1.4.25-1 On Tue, May 29, 2018 at 07:15:33AM +0200, Salvatore Bonaccorso wrote: > Source: undertow > Version: 1.4.3-1 > Severity: important > Tags: security upstream > Forwarded: https://issues.jboss.org/browse/UNDERTOW-1302 > > Hi, > > The following vulnerability was published for undertow, the original > CVE-2016-4993 fixed via 1.4.3 upstream was incomplete. No fix > available at the time of writing. > > CVE-2018-1067[0]: > | In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the > | fix for CVE-2016-4993 was incomplete and Undertow web server is > | vulnerable to the injection of arbitrary HTTP headers, and also > | response splitting, due to insufficient sanitization and validation of > | user input before the input is used as part of an HTTP header value.
So there is now a bit more information available, and the issue was already fixed with https://github.com/undertow-io/undertow/commit/85d4478e598105fe94ac152d3e11e388374e8b86 which is in 1.4.25.Final. Thus marking the issue as fixed in 1.4.25-1. Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.