[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: jetty CVE triage: jetty8 ignored?

Hi Sebastian

With this reasoning we cannot assume that a later release include fixes for earlier releases for any package. Jetty seems to be actively and sanely maintained so I think the risk you point out is very low.
But you are right, this could be the case for a badly maintained package.

Cheers

// Ola

On 5 July 2018 at 13:23, Sébastien Delafond <seb@debian.org> wrote:
On 2018-07-04, Ola Lundqvist <ola@inguza.com> wrote:
> You are right, CVE-2011-XXXX first found to affect jetty (jetty 6)
> could very well not be fixed in jetty 8 since jetty 8 was first
> released in 2009.

Even if jetty 8 had been first released in 2018, you *still* could not
conclude anything simply because "2011 is before 2018". All your
statements about "CVE-YYYY-XXX can't affect foo because foo was released
after year YYYY" are just plain wrong.

Cheers,

--Seb




--
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to: