I filed upstream bug https://issues.jboss.org/browse/UNDERTOW-1295
and asked for more information about security vulnerabilities in general. The relevant issues are public now: CVE-2017-7559 was addressed in version 1.4.23 or 2.0.1. Since 2.0.1 requires the servlet 4.0 API which is currently not available in Debian I'm opting for 1.4.23. I still need to find the relevant commit to be able to backport the fix to Stretch.
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.