Candidate: CVE-2017-14063
PublicDate: 2017-08-31 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14063
 https://github.com/AsyncHttpClient/async-http-client/issues/1455
 https://github.com/AsyncHttpClient/async-http-client/commit/eb9e3347e45319be494db24d285a2aee4396f5d3
 http://openwall.com/lists/oss-security/2017/08/31/4
Description:
 Async Http Client (aka async-http-client) before 2.0.35 can be tricked into
 connecting to a host different from the one extracted by java.net.URI if a
 '?' character occurs in a fragment identifier. Similar bugs were previously
 identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]

Patches_async-http-client:
upstream_async-http-client: released (2.0.35)
precise/esm_async-http-client: DNE
trusty_async-http-client: ignored (out of standard support)
trusty/esm_async-http-client: not-affected (code not present)
vivid/ubuntu-core_async-http-client: DNE
xenial_async-http-client: not-affected (code not present)
zesty_async-http-client: ignored (reached end-of-life)
artful_async-http-client: ignored (reached end-of-life)
bionic_async-http-client: not-affected (code not present)
cosmic_async-http-client: not-affected (code not present)
disco_async-http-client: not-affected (2.6.0-1)
devel_async-http-client: not-affected (2.6.0-1)