Bug#885576: undertow: CVE-2017-7559: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)
Markus Koschany
apo at debian.org
Fri Mar 2 17:26:15 UTC 2018
I filed upstream bug
https://issues.jboss.org/browse/UNDERTOW-1295
and asked for more information about security vulnerabilities in general.
The relevant issues are public now:
CVE-2017-7559 was addressed in version 1.4.23 or 2.0.1. Since 2.0.1
requires the servlet 4.0 API which is currently not available in Debian
I'm opting for 1.4.23. I still need to find the relevant commit to be
able to backport the fix to Stretch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20180302/940c0118/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list