Bug#891929: CVE-2018-1047: information disclosure of arbitrary local files

Salvatore Bonaccorso carnil at debian.org
Fri Mar 2 20:08:35 UTC 2018


Hi!

On Fri, Mar 02, 2018 at 08:46:51PM +0100, Markus Koschany wrote:
> Control: severity -1 important
> 
> I am no longer sure undertow is affected. The issue is marked resolved
> upstream and one of the fixing commits
> 
> https://github.com/wildfly/wildfly/pull/10748/files
> 
> indicates the bug was in WildFly's undertow extension but not in
> Undertow itself. I keep this bug report open for a little while longer
> until UNDERTOW-1295 is resolved and we get more information about the
> vulnerabilities.

Alright, if that turns out to be indeed in WildFly, then the
security-tracker entry should be changed to a NOT-FOR-US. If you don't
want to loose the triage done now, still adding a note would be good.

Thanks a lot for your investigations!

Regards,
Salvatore



More information about the pkg-java-maintainers mailing list