ESB-2017.1728 - [Debian] undertow: Multiple vulnerabilities 2017-07-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1728
                         undertow security update
                               13 July 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           undertow
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Access Confidential Data       -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-2670 CVE-2017-2666 

Reference:         ESB-2017.1438

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3906

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3906-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 11, 2017                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : undertow
CVE ID         : CVE-2017-2666 CVE-2017-2670

Two vulnerabilities have been discovered in Undertow, a web server
written in Java, which may lead to denial of service or HTTP request
smuggling.

For the stable distribution (stretch), these problems have been fixed in
version 1.4.8-1+deb9u1.

For the testing distribution (buster), these problems have been fixed
in version 1.4.18-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.4.18-1.

We recommend that you upgrade your undertow packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlllQZ0ACgkQEMKTtsN8
TjbpFhAAqiHSmiR9jH/7zzBWerIxYahmcdlH1PSREmXOm9NrzucC7rdAZBhZ9W+Y
/hWqZZiNqL2lkzFvVnBQvi1zHWhraar0LWCSfVFLCPuYOH830LNZmQXzxAfJSmqB
0SThHYiB7fou2eYT5Zy1Al5d/UmG7lfMLa0Ns7CzwIecA4ZnWGNIjPjEiIseMrvZ
CwZgmleGzmvm7mGBul8BH6qcgL1Z0y+Xx/DOv9b3UMbzYlr+JhqeqT464kc9ydyI
EhKNjVBYgGuFrgoeg7oU9V+fPzK7+bg5mmpvTu1R1hCFR5euZi3jaT8InDbabFE0
eVVYvZVRUdW6wVtXWE/I04ZXqOmwFvz4pBPJkYKi16wqkt/g8Yt+ST9SL1LZhJTG
/j8hW6dnJkHRKoQIevwsZt0WpnrlCWHIISs1h+LQmR748dmkIze7Lug+UuuV+Z+L
cvYV05bQO0I2utUyu8p2EQJh+zdFZvg+vHoJAiQSSEiCFJdylLRVbpWp21+SAFmx
Oa+D86vVPlv8aBPCoo4xo+YsfpMaE8VS73Cd9XBBxCrYSLAdkobIiedYfcjHOMUN
fNqhvCShbRmjArEviV0nGs3S+Li49Xi/TR1nZksrQvZxpZiEd9oSiKb9d+kcqpjS
skOmh+zywDrHUCPD/NsYtrK3Os8ttwk0eaZvJYffA2E7vWhotKg=
=6F66
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWWa8oox+lLeg9Ub1AQhi2w//VrgRGja7WWSj+efCcF8QQ/DW6BOez4y3
rkg8DlI1ivG/NOH7yqJ2p4wxtptj8HCv57nkO+X0Iu9aC5yRSF6J33zyKzY8APB1
Gr05Ght74qzZM7OlM+1EG0P4UFyO2oa3m11icSKZ968Oz5fnE+m+COIbTEfnmU2v
F6MssaQEcOML/hE1stZqPxBmVC5/B8IfsHaf8KMdTeCCSgNYWYiCp1DvvL9k30qd
thc3/Wh0KZJN+7qjltID4oRnvaIIr5YD+ftcaZg4OTRt/TfmwENtn5y5rsmlA0lX
bf/70mEN6Bg+YHY9TVJd8hOeMS1WPs8+R+tQCRaH1fAN0shU7cunBMXdXThg6AwU
tU0wkbVGP5vwaMppe+rSnjeklnF4FCs3yVlkSpeiZVgYP5zbVIAWM8bOL/o9OsUh
cqMhi4gepK9hIlFCPiKk9ZEWpp9qU1b7YXeupxklFvsJMVjtjLNKGS6bkN1wahLC
isFCvGBEFfXJS2JWJ62egcwipF3825V7l5FReY7mu3cmaG43U3Zgncc0oJr07jxH
Xo77V/v8+kh4xWdZ62Nb758bywoKhOVeOFucsLjFDsrAmBhi6Wky7cP7dFRYc1AL
j4AupJBvACnqs+hIFyXoEMPtu9Da1aCy/4ilIiWddZ22n9nzZ+AJkzzkx5TRLdy0
HhGNYUXel84=
=dNTe
-----END PGP SIGNATURE-----

« Back to bulletins