Bug#864405: CVE-2016-2666
Markus Koschany
apo at debian.org
Tue Jun 13 20:01:27 UTC 2017
Control: tags -1 moreinfo
On Thu, 8 Jun 2017 09:40:02 +0200 Markus Koschany <apo at debian.org> wrote:
> Am 08.06.2017 um 09:01 schrieb Moritz Mühlenhoff:
> > retitle 864405 undertow: CVE-2016-2666 CVE-2016-2670
> > thx
> >
> > Moritz Muehlenhoff wrote:
> >>
> >> There's no other reference that what Red Hat published here:
> >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666
> >
> > Also:
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670
>
> I requested more information at
>
> https://issues.jboss.org/browse/UNDERTOW-1094
I have also replied to the CVE-2017-2670 bug report in Red Hat's bug
tracker but haven't got an answer yet.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670
According to the same bug report the vulnerable code is at
https://github.com/undertow-io/undertow/blob/1.4.12.Final/core/src/main/java/io/undertow/server/protocol/framed/AbstractFramedStreamSourceChannel.java#L288
Usually I would expect that there is a recent change but this particular
file has not been updated since September 2016.
At the moment I have not enough information to assess the severity of
these CVE and cannot fix them.
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20170613/659a9421/attachment.sig>
More information about the pkg-java-maintainers
mailing list