Hi,
I just noticed that jetty8 is almost never marked as affected by issues
in jetty and jetty9. Is it intentional that jetty8 isn't listed whereas
jetty and jetty9 are ?
For example:
- CVE-2018-12538: there is no obvious reason why jetty8 wouldn't be
listed if jetty and jetty9 are.
- CVE-2018-12536: there is no way to tell jetty8 isn't affected without
doing some code analysis / at least trying to reproduce, and even so
it would be better to list jetty8 and mark it not-affected.
... and many others. The number of issues "affecting" jetty8 is a lot
smaller than jetty/jetty9.
Regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
Attachment:
signature.asc
Description: PGP signature