Re: Jetty 6.1.22 with OSGi bundles MANIFEST.MF committed into pkg-java svn

To: debian-java@lists.debian.org
Subject: Re: Jetty 6.1.22 with OSGi bundles MANIFEST.MF committed into pkg-java svn
From: Pablo Duboue <pablo.duboue@gmail.com>
Date: Tue, 15 Dec 2009 00:12:02 -0500
Message-id: <d5adecf90912142112l39d77affx3d2cacacbbb684a2@mail.gmail.com>
In-reply-to: <4B26949A.5050209@thykier.net>
References: <d5adecf90912140131qeaceb10w9633a4e33814e7b6@mail.gmail.com> <4B26949A.5050209@thykier.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


>> * According to #554874, the comment in jetty.default is wrong, it
>> should say "set it to 0.0.0.0 to listen to all
>> interfaces". I can look further into this and try to close that bug, too.
>
> That would be great yes.

OK, so I'll leave the Eclipse testing to you, and I'll be working on
getting this bug and (..)

> As I recall 6.1.22 is supposed to fix a security issue (one of the two
> RC+security bugs); we should have that verified.

(...) these other two bugs. First, for the real CVE (Bug #553644),
this bug affects 6.1.21.
Niels had some Fedora patches in pkg-java svn trunk that fixed that
bug. I manually checked
that  these changes are present in 6.1.22 upstream. I'll still do a
second round reading the
CVE before marking it as pending.

That still leaves the
"CVE-that-happened-and-was-solved-before-we-even-packed-that-project"
issue. [1] I am tempted to audit the code to close that bug and
concurrently do a post in
security to ask for some policy decision. I agree there is absolutely
no "reasonable doubt"
that merits performing such audit and many projects will fall into
that situation.

OTOH Torsten has made the case that working on this is a waste of
resources (I wonder if
security will allow us to downgrade the bug to 'wishlist' and rename
it to "audit the code
for being really sure CVE-2007-6672 doesn't affect us"). I just don't
like reading
"Tags: security, wontfix", it might scare away potential users of the
package ;-)

Regards,

Pablo

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559765

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJLJxpiAAoJEMJ09r9KJ69qsXkQAMyJHTelRpTX4eWFAT7dhv3U
mjC93O/gIPSzSn1QgwXlWRbcvnAsW9N9xhmkq8NN7cEERl0YGFKQrttX2AGHzgWe
KhhmKck07GgTwOFiq2Ux0Z2/9n8giTQINrSnKyWPkdnfFWtZbONXfaATcTRr3XnF
EHkjz8WXkZOlQul2zqkZbI8K88l0dycBbnJIqSil4Tid5Um9UZ9uPdzmhea2AQPk
CD6fEK8HwM/6WIxgqDNbFH3NHRNxeaPAj+5t2gjbkS/t+cYdPOBQJinORSQci9Cl
L6djhhBqxZUmmb4ccizmSV7WeRlkZjHwa5I+YyVXy2Z5oyUz5pp/HCJq7p9gSZwp
s4oSDM8p3yO9avbhPwbKE/hXS6IaMONv2p9Vc6zaHrNi4ON5nNIbjEnL7mkameb/
O6dSpxgVpm1MvvDWQkHZgOEOzuFFcpqL1J1EQ0RKKVmlVNbtom4Y02Hu5uu0i2Qc
Ll9qeHAOXjA1/N7BQrwtz3XpF/xT/o8wTosH07ATzojknzrAS/AJTjHCh3qxXkmv
WUcsKgeWJWUS7zPigGuGM4WIZZrqphkNoDszv/3JKW6FEGOo9EO9GIOLcLTn1uGs
CPLVf4AOsAyCoZq3196mVAzEGeheyz7C+3B1OxNH+QDQXaa7i82O9wofRICcDWbG
mmz37Ibv9RCLlJszRjKd
=w89B
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Jetty 6.1.22 with OSGi bundles MANIFEST.MF committed into pkg-java svn
  - From: Niels Thykier <niels@thykier.net>

References:
- Jetty 6.1.22 with OSGi bundles MANIFEST.MF committed into pkg-java svn
  - From: Pablo Duboue <pablo.duboue@gmail.com>
- Re: Jetty 6.1.22 with OSGi bundles MANIFEST.MF committed into pkg-java svn
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Re: Jetty 6.1.22 with OSGi bundles MANIFEST.MF committed into pkg-java svn
Next by Date: Generating External bundle-classpath on the fly?
Previous by thread: Re: Jetty 6.1.22 with OSGi bundles MANIFEST.MF committed into pkg-java svn
Next by thread: Re: Jetty 6.1.22 with OSGi bundles MANIFEST.MF committed into pkg-java svn
Index(es):
- Date
- Thread