jetty/jetty8/jetty9 not affected by CVE-2018-12538
Hi,
FYI, none of the jetty releases present in Debian are affected by
CVE-2018-12538.
CVE-2018-12538 affects FileSessionDataStore and more specifically its
function getFile(). This class was introduced in 9.4, this
vulnerability thus affects 9.4.x releases only (and jetty package has
version < 9.0, jetty9 has <= 9.2.24).
FTR FileSessionDataStore was introduced in
fa8232d3c81608c25d9e8c66cdfe8ab7a66c892b and the vulnerable code in
54a56314627f0a2c33ca67d813e3396f6bc03274.
regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
Reply to: