Hi, I just noticed that jetty8 is almost never marked as affected by issues in jetty and jetty9. Is it intentional that jetty8 isn't listed whereas jetty and jetty9 are ? For example: - CVE-2018-12538: there is no obvious reason why jetty8 wouldn't be listed if jetty and jetty9 are. - CVE-2018-12536: there is no way to tell jetty8 isn't affected without doing some code analysis / at least trying to reproduce, and even so it would be better to list jetty8 and mark it not-affected. ... and many others. The number of issues "affecting" jetty8 is a lot smaller than jetty/jetty9. Regards, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
Attachment:
signature.asc
Description: PGP signature