28076 – undertow new security issue CVE-2020-10719

Bug 28076 - undertow new security issue CVE-2020-10719

Summary: undertow new security issue CVE-2020-10719

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-01-13 09:13 CET by Zombie Ryushu
Modified:	2021-01-23 00:51 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	undertow-1.4.0-2.mga7.src.rpm
CVE:	CVE-2020-10719
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2021-01-13 09:13:38 CET

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.

Zombie Ryushu 2021-01-13 09:13:57 CET

CVE: (none) => CVE-2020-10719

Comment 1 Aurelien Oudelet 2021-01-13 15:23:42 CET

Dropped in Cauldron.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => mageia, ouaurelien

Aurelien Oudelet 2021-01-13 15:23:54 CET

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-01-13 17:39:26 CET

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10719
https://security-tracker.debian.org/tracker/CVE-2020-10719

Summary: undertow security issue CVE-2020-10719 => undertow new security issue CVE-2020-10719
Severity: normal => major
Assignee: pkg-bugs => java
Status comment: (none) => Fixed upstream in 2.1.1

Comment 3 David GEIGER 2021-01-14 08:08:34 CET

Done for mga7!

CC: (none) => geiger.david68210

Comment 4 David Walser 2021-01-14 17:33:00 CET

Advisory:
========================

Updated undertow packages fix security vulnerability:

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the
processing of invalid HTTP requests with large chunk sizes. This flaw allows an
attacker to take advantage of HTTP request smuggling (CVE-2020-10719).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10719
========================

Updated packages in core/updates_testing:
========================
undertow-1.4.0-2.1.mga7
undertow-javadoc-1.4.0-2.1.mga7

from undertow-1.4.0-2.1.mga7.src.rpm

Assignee: java => qa-bugs
Status comment: Fixed upstream in 2.1.1 => (none)

Comment 5 Thomas Andrews 2021-01-21 22:43:18 CET

Installed both packages, and updated. No installation issues.

Looked back for another bug for this package, and only found an obscure reference in a bug concerning a differnt package, which is also been dropped for Mageia 8.

OKing this on a clean install. Validatingt. Advisory in Comment 4.

Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Aurelien Oudelet 2021-01-22 16:34:12 CET

Advisory pushed to SVN.

Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-01-23 00:51:34 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0052.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.