Re: jetty CVE triage: jetty8 ignored?

To: debian-lts@lists.debian.org
Subject: Re: jetty CVE triage: jetty8 ignored?
From: Sébastien Delafond <seb@debian.org>
Date: Thu, 5 Jul 2018 11:23:11 +0000 (UTC)
Message-id: <[🔎] 20180705131813.853@usenet.piggo.com>
References: <[🔎] 20180702155019.GA1900@hle-laptop.local> <[🔎] CABY6=0kU6UCeDOy4vKjjnGFYEc_Ujgb6PEJn7tEqeS4pYyqByw@mail.gmail.com> <[🔎] 20180703153338.930@usenet.piggo.com> <[🔎] CABY6=0=a-mjwLSW87vY8wqVNmEOduZ9k_E=2uYJvX4fWoG5UHA@mail.gmail.com>

On 2018-07-04, Ola Lundqvist <ola@inguza.com> wrote:
> You are right, CVE-2011-XXXX first found to affect jetty (jetty 6)
> could very well not be fixed in jetty 8 since jetty 8 was first
> released in 2009.

Even if jetty 8 had been first released in 2018, you *still* could not
conclude anything simply because "2011 is before 2018". All your
statements about "CVE-YYYY-XXX can't affect foo because foo was released
after year YYYY" are just plain wrong.

Cheers,

--Seb

Reply to:

Follow-Ups:
- Re: jetty CVE triage: jetty8 ignored?
  - From: Ola Lundqvist <ola@inguza.com>

References:
- jetty CVE triage: jetty8 ignored?
  - From: Hugo Lefeuvre <hle@debian.org>
- Re: jetty CVE triage: jetty8 ignored?
  - From: Ola Lundqvist <ola@inguza.com>
- Re: jetty CVE triage: jetty8 ignored?
  - From: Sébastien Delafond <seb@debian.org>
- Re: jetty CVE triage: jetty8 ignored?
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: phpmyadmin update (Was Re: last call for wheezy updates and remaining work for transition)
Next by Date: Re: Advice for building tomcat8 on jessie?
Previous by thread: Re: jetty CVE triage: jetty8 ignored?
Next by thread: Re: jetty CVE triage: jetty8 ignored?
Index(es):
- Date
- Thread