[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: jetty CVE triage: jetty8 ignored?

Hi Sebastien

You are right, CVE-2011-XXXX first found to affect jetty (jetty 6) could very well not be fixed in jetty 8 since jetty 8 was first released in 2009.

http://www.eclipse.org/jetty/documentation/current/what-jetty-version.html

So to be on the safe side I checked the two CVEs from 2011.
CVE-2011-4461 affects 8.1.0-RC2 and earlier (later version exists in jessie) and also marked as no-dsa (minor issue).
CVE-2011-4404 marked as duplicate of another CVE from 2009 and that problem was solved in 2009.

With this said, yes we could mark these also for jetty8 for completeness, but I do not see a big benefit.

Best regards

// Ola

On 3 July 2018 at 16:58, Sébastien Delafond <seb@debian.org> wrote:
On 2018-07-03, Ola Lundqvist <ola@inguza.com> wrote:
> jetty8 appears first 2012.
> jetty9 appears first 2015.
>
> This means that CVE entries before 2012 are not relevant for jetty8
> and before 2015 not relevant for jetty9.

That's just wrong; for instance, a CVE-2011-XXXX first found to affect
jetty7 could very well not be fixed yet in jetty8.

Cheers,

--Seb




--
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to: