Bug 28076

Summary: undertow new security issue CVE-2020-10719
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-10719
Whiteboard: MGA7-64-OK
Source RPM: undertow-1.4.0-2.mga7.src.rpm CVE: CVE-2020-10719
Status comment:

Description Zombie Ryushu 2021-01-13 09:13:38 CET 
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.
Zombie Ryushu 2021-01-13 09:13:57 CET

CVE: (none) => CVE-2020-10719

Comment 1 Aurelien Oudelet 2021-01-13 15:23:42 CET 
Dropped in Cauldron.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => mageia, ouaurelien

Aurelien Oudelet 2021-01-13 15:23:54 CET

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-01-13 17:39:26 CET 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10719
https://security-tracker.debian.org/tracker/CVE-2020-10719

Summary: undertow security issue CVE-2020-10719 => undertow new security issue CVE-2020-10719
Severity: normal => major
Assignee: pkg-bugs => java
Status comment: (none) => Fixed upstream in 2.1.1

Comment 3 David GEIGER 2021-01-14 08:08:34 CET 
Done for mga7!

CC: (none) => geiger.david68210

Comment 4 David Walser 2021-01-14 17:33:00 CET 
Advisory:
========================

Updated undertow packages fix security vulnerability:

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the
processing of invalid HTTP requests with large chunk sizes. This flaw allows an
attacker to take advantage of HTTP request smuggling (CVE-2020-10719).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10719
========================

Updated packages in core/updates_testing:
========================
undertow-1.4.0-2.1.mga7
undertow-javadoc-1.4.0-2.1.mga7

from undertow-1.4.0-2.1.mga7.src.rpm

Assignee: java => qa-bugs
Status comment: Fixed upstream in 2.1.1 => (none)

Comment 5 Thomas Andrews 2021-01-21 22:43:18 CET 
Installed both packages, and updated. No installation issues.

Looked back for another bug for this package, and only found an obscure reference in a bug concerning a differnt package, which is also been dropped for Mageia 8.

OKing this on a clean install. Validatingt. Advisory in Comment 4.

Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Aurelien Oudelet 2021-01-22 16:34:12 CET 
Advisory pushed to SVN.

Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-01-23 00:51:34 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0052.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED