Bug#885338: undertow: CVE-2017-7559: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)
Salvatore Bonaccorso
carnil at debian.org
Tue May 8 07:44:03 BST 2018
Hi
On Fri, Mar 02, 2018 at 07:09:10PM +0100, Markus Koschany wrote:
> Control: forwarded -1 https://issues.jboss.org/browse/UNDERTOW-1251
>
> It seems this issue is tracked at
>
> https://issues.jboss.org/browse/UNDERTOW-1251
>
> However the bug report appears to be a duplicate of UNDERTOW-1101 which
> was CVE-2017-2666 last year. I added a comment and hope that someone can
> clarify the situation.
Whoops I missed you followuped as well here. I added the following comment, but
it's unverified that my claim is true:
> [...]
> Regarding the CVE-2017-12165 the distinction
> to CVE-2017-7559 is the following, as far I'm parsing the available
> invoformation.
>
> undertow: HTTP Request smuggling vulnerability (incomplete fix of
> CVE-2017-2666) (CVE-2017-7559)
>
> Then OTOH CVE-2017-12165 is
>
> undertow: improper whitespace parsing leading to potential HTTP
> request smuggling (CVE-2017-12165)
>
> so it's in the same class of issues, I have the slight suspect that
> the fix for CVE-2017-7559 (the incomplete fix for CVE-2017-2666
> fix/commit) includes as well a fix for the "improper whitespace
> parsing", but I cannot say for sure. The commit at least adds several
> tests for "testTabInsteadOfSpaceAfterVerb" and whiespaces.
>
> https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list