[Git][security-tracker-team/security-tracker][master] Mark undertow as no-dsa, will be removed at point release

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0c2ef367 by Salvatore Bonaccorso at 2018-05-08T14:45:40+02:00
Mark undertow as no-dsa, will be removed at point release

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -26280,6 +26280,7 @@ CVE-2018-1115
 CVE-2018-1114 [File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service]
 	RESERVED
 	- undertow 1.4.25-1 (bug #897247)
+	[stretch] - undertow <no-dsa> (Scheduled for removal on point release)
 	NOTE: https://issues.jboss.org/browse/UNDERTOW-1338
 	NOTE: https://github.com/undertow-io/undertow/commit/882d5884f2614944a0c2ae69bafd9d13bfc5b64a
 	NOTE: https://bugs.openjdk.java.net/browse/JDK-6956385
@@ -26613,6 +26614,7 @@ CVE-2018-1049 (In systemd prior to 234 a race condition exists between .mount an
 	NOTE: https://github.com/systemd/systemd/commit/e7d54bf58789545a9eb0b3964233defa0b007318
 CVE-2018-1048 (It was found that the AJP connector in undertow, as shipped in Jboss ...)
 	- undertow 1.4.22-1 (bug #891928)
+	[stretch] - undertow <no-dsa> (Scheduled for removal on point release)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1534343
 	NOTE: https://issues.jboss.org/browse/UNDERTOW-1245
 	NOTE: Fixed by https://github.com/undertow-io/undertow/commit/1bc0c275aadf5835abfbd3835d5d78095c2f1cf5
@@ -44345,6 +44347,7 @@ CVE-2017-12197 (It was found that libpam4j up to and including 1.8 did not prope
 	NOTE: (Non-upstream) patch: https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d
 CVE-2017-12196 (undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was ...)
 	- undertow 1.4.25-1
+	[stretch] - undertow <no-dsa> (Scheduled for removal on point release)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1503055
 	NOTE: Fixed by https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870
 	NOTE: See also https://github.com/undertow-io/undertow/commit/8804170ce3186bdd83b486959399ec7ac0f59d0f
@@ -44492,6 +44495,7 @@ CVE-2017-12166 (OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnera
 CVE-2017-12165 [improper whitespace parsing leading to potential HTTP request smuggling]
 	RESERVED
 	- undertow <unfixed> (bug #885338)
+	[stretch] - undertow <no-dsa> (Scheduled for removal on point release)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1490301
 	NOTE: Fix likely included in the same commit as the fix for CVE-2017-7559
 	NOTE: https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2
@@ -58579,6 +58583,7 @@ CVE-2017-7560 (It was found that rhnsd PID files are created as world-writable t
 	NOTE: Introduced by: https://github.com/spacewalkproject/spacewalk/commit/75d9c00b96ab430221c5c7668baebebc74ddd67e
 CVE-2017-7559 (In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and ...)
 	- undertow 1.4.23-1 (bug #885576)
+	[stretch] - undertow <no-dsa> (Scheduled for removal on point release)
 	NOTE: CVE is for an incomplete fix of CVE-2017-2666
 	NOTE: Invalid characters were still allowed in the query string and path parameters.
 	NOTE: https://issues.jboss.org/browse/UNDERTOW-1165



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0c2ef367fecf07780ea70d081c45185c05e30d67

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0c2ef367fecf07780ea70d081c45185c05e30d67
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180508/383171a9/attachment.html>