[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: jetty CVE triage: jetty8 ignored?

Hi

I have compared the lists for jetty, jetty8 and jetty9.

jetty8 appears first 2012.
jetty9 appears first 2015.

This means that CVE entries before 2012 are not relevant for jetty8 and before 2015 not relevant for jetty9.

When I look at the open issues for jetty they look identical, but the resolved list is a little different.
jetty9 do not have CVE-2015-2080 marked as resolved. Should be checked to see that this has not been missed.

The ones you mention are now listed for all of them and I think that is relevant.

But I do not see the difference you mention for jetty8 and jetty9 (just one package diff).
The list is much longer for jetty, simply because it has been around for a longer period, but I do not see the other difference.

Or am I looking in the wrong place when comparing them?
I'm comparing the following pages:
https://security-tracker.debian.org/tracker/source-package/jetty
https://security-tracker.debian.org/tracker/source-package/jetty8
https://security-tracker.debian.org/tracker/source-package/jetty9

Best regards

// Ola




On 2 July 2018 at 17:50, Hugo Lefeuvre <hle@debian.org> wrote:
Hi,

I just noticed that jetty8 is almost never marked as affected by issues
in jetty and jetty9. Is it intentional that jetty8 isn't listed whereas
jetty and jetty9 are ?

For example:
 - CVE-2018-12538: there is no obvious reason why jetty8 wouldn't be
   listed if jetty and jetty9 are.
 - CVE-2018-12536: there is no way to tell jetty8 isn't affected without
   doing some code analysis / at least trying to reproduce, and even so
   it would be better to list jetty8 and mark it not-affected.

... and many others. The number of issues "affecting" jetty8 is a lot
smaller than jetty/jetty9.

Regards,
 Hugo

--
             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA



--
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to: