Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WFCORE-6707][WFCORE-6708][WFCORE-6709] CVE-2023-5379 CVE-2024-1459 CVE-2024-1635 Upgrade Undertow, XNIO and JBoss Remoting #5875

Merged
merged 3 commits into from
Feb 21, 2024

Conversation

fl4via
Copy link
Contributor

@fl4via fl4via commented Feb 21, 2024

23.x PR: #5876

Jiras:
https://issues.redhat.com/browse/WFCORE-6707 - relates to CVE-2024-1635
https://issues.redhat.com/browse/WFCORE-6708 - relates to CVE-2024-1635
https://issues.redhat.com/browse/WFCORE-6709 - fixes CVE-2023-5379 CVE-2024-1459 CVE-2024-1635

    Release Notes - XNIO - Version 3.8.13.Final

Bug

  • [XNIO-427] - ClosedChannelException when NioSocketConduit.handleReady invokes write listener after read listener closes connection
    Release Notes - JBoss Remoting (3+) - Version 5.0.28.Final

Bug

  • [REM3-404] - Remoting connections closed during greetings exchange after HTTP upgrade are not properly cleaned after closed

Enhancement

  • [REM3-405] - Improve performance of server accept
    Release Notes - Undertow - Version 2.3.12.Final

Bug

  • [UNDERTOW-2280] - CVE-2023-5379 AJP request which exceed max-header-size cause JBoss EAP to be marked as error status in httpd as a reverse-proxy
  • [UNDERTOW-2336] - CVE-2024-1635 At Http upgrade to remoting, WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener
  • [UNDERTOW-2339] - CVE-2024-1459 Directory traversal vulnerability when accessed via proxy
  • [UNDERTOW-2345] - ClientEndpointConfig stored SSLContext is ignored by Undertow implementation

@yersan yersan added the ready-for-merge This PR is ready to be merged and fulfills all requirements label Feb 21, 2024
@yersan yersan merged commit 97682ae into wildfly:main Feb 21, 2024
12 checks passed
@fl4via fl4via deleted the WFCORE-6707 branch February 21, 2024 12:23
@yersan
Copy link
Collaborator

yersan commented Feb 21, 2024

Thanks @fl4via

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Critical deps-ok Dependencies have been checked, and there are no significant changes ready-for-merge This PR is ready to be merged and fulfills all requirements
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants