Hi Sebastien and others
I have checked a few of the CVEs from 2009 and my conclusion is that this is not important enough for LTS work.
CVE-2009-5045 to CVE-2009-5049 advisory sent by jetty telling that jetty 6 and 7 are affected. The version in jessie is of a version that is fixed. As jetty 8 did not exist at this time we can only assume that jetty designers themselves have fixed this. At the same time the affected apps are not shipped in the debian version.
CVE-2009-4612 was fixed a version long before the version in jessie. I do not think it is worth investigating jetty 8. If someone else feel you think this is important, please go ahead.
Other CVEs from 2009 have similar property. They were fixed in a version long before jessie was released. We do not have any specific patch pointer to them so investigating this would be quite time consuming.
As I said jetty seems to be a well maintained package where they themselves present advisories so I'm pretty comfortable with not investigating this on LTS time.
If you feel that this should be done, please go ahead. I will not stop you. Maybe someone else will but I will not.
Now let us focus on the issues we know are problems instead. That is definitely much more important!
Best regards
// Ola