Bug#900323: undertow: CVE-2018-1067: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)
Salvatore Bonaccorso
carnil at debian.org
Sun Jun 3 20:02:34 BST 2018
Source: undertow
Source-Version: 1.4.25-1
On Tue, May 29, 2018 at 07:15:33AM +0200, Salvatore Bonaccorso wrote:
> Source: undertow
> Version: 1.4.3-1
> Severity: important
> Tags: security upstream
> Forwarded: https://issues.jboss.org/browse/UNDERTOW-1302
>
> Hi,
>
> The following vulnerability was published for undertow, the original
> CVE-2016-4993 fixed via 1.4.3 upstream was incomplete. No fix
> available at the time of writing.
>
> CVE-2018-1067[0]:
> | In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the
> | fix for CVE-2016-4993 was incomplete and Undertow web server is
> | vulnerable to the injection of arbitrary HTTP headers, and also
> | response splitting, due to insufficient sanitization and validation of
> | user input before the input is used as part of an HTTP header value.
So there is now a bit more information available, and the issue was
already fixed with
https://github.com/undertow-io/undertow/commit/85d4478e598105fe94ac152d3e11e388374e8b86
which is in 1.4.25.Final.
Thus marking the issue as fixed in 1.4.25-1.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list