Bug#864631: unblock: jetty9/9.2.22-1

To: Emmanuel Bourg <ebourg@apache.org>, 864631@bugs.debian.org
Cc: team@security.debian.org
Subject: Bug#864631: unblock: jetty9/9.2.22-1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 17 Jun 2017 17:32:07 +0100
Message-id: <[🔎] 1497717127.2645.23.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 864631@bugs.debian.org
In-reply-to: <[🔎] 149721681191.22399.6346721143072384694.reportbug@icare.ariane-software.com>
References: <[🔎] 149721681191.22399.6346721143072384694.reportbug@icare.ariane-software.com>

Control: tags -1 + moreinfo

Hi,

On Sun, 2017-06-11 at 23:33 +0200, Emmanuel Bourg wrote:
> This is a pre-upload request to unblock jetty9/9.2.22-1. This update fixes
> a timing attack in a class checking passwords (no CVE ID has been assigned yet)
> and removes a broken symlink (#857217).
> 
> Note that Jetty 9.2.x is in maintenance mode and receives only critical fixes
> from upstream, that's why I'm suggesting to upload a new version (it mostly
> consists in the security fix anyway).

Sorry that this didn't get picked up before the release.

>From your comment above, I assume the plan is to get a newer upstream
version of Jetty into unstable soon? If so, then how we proceed with
fixing this in stretch depends on whether the Security Team plan to
handle it via a DSA; CCing them for an opinion.

Regards,

Adam

Reply to:

References:
- Bug#864631: unblock: jetty9/9.2.22-1
  - From: Emmanuel Bourg <ebourg@apache.org>

Prev by Date: Processed: tagging 864783
Next by Date: Processed: Re: Bug#864631: unblock: jetty9/9.2.22-1
Previous by thread: Bug#864631: unblock: jetty9/9.2.22-1
Next by thread: Processed: Re: Bug#864631: unblock: jetty9/9.2.22-1
Index(es):
- Date
- Thread