jetty/jetty8/jetty9 not affected by CVE-2018-12538

To: 902774@bugs.debian.org
Cc: debian-lts@lists.debian.org, Emmanuel Bourg <ebourg@apache.org>
Subject: jetty/jetty8/jetty9 not affected by CVE-2018-12538
From: Hugo Lefeuvre <hle@debian.org>
Date: Sun, 1 Jul 2018 16:23:31 -0400
Message-id: <[🔎] 20180701202330.GC1938@hle-laptop.local>

Hi,

FYI, none of the jetty releases present in Debian are affected by
CVE-2018-12538.

CVE-2018-12538 affects FileSessionDataStore and more specifically its
function getFile(). This class was introduced in 9.4, this
vulnerability thus affects 9.4.x releases only (and jetty package has
version < 9.0, jetty9 has <= 9.2.24).

FTR FileSessionDataStore was introduced in
fa8232d3c81608c25d9e8c66cdfe8ab7a66c892b and the vulnerable code in
54a56314627f0a2c33ca67d813e3396f6bc03274.

regards,
 Hugo

-- 
             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA

Reply to:

Prev by Date: LTS/ELTS Report for June 2018
Next by Date: Fix for dnsmasq breakage
Previous by thread: LTS/ELTS Report for June 2018
Next by thread: Fix for dnsmasq breakage
Index(es):
- Date
- Thread