[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#864631: unblock: jetty9/9.2.22-1

Control: tags -1 - moreinfo

Hi Adam,

On Sat, Jun 17, 2017 at 05:32:07PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> Hi,
> 
> On Sun, 2017-06-11 at 23:33 +0200, Emmanuel Bourg wrote:
> > This is a pre-upload request to unblock jetty9/9.2.22-1. This update fixes
> > a timing attack in a class checking passwords (no CVE ID has been assigned yet)
> > and removes a broken symlink (#857217).
> > 
> > Note that Jetty 9.2.x is in maintenance mode and receives only critical fixes
> > from upstream, that's why I'm suggesting to upload a new version (it mostly
> > consists in the security fix anyway).
> 
> Sorry that this didn't get picked up before the release.
> 
> From your comment above, I assume the plan is to get a newer upstream
> version of Jetty into unstable soon? If so, then how we proceed with
> fixing this in stretch depends on whether the Security Team plan to
> handle it via a DSA; CCing them for an opinion.

Sorry for the delay. No we marked the issue as no-dsa, and the fix
should preferably go in via a point release.

The CVE is CVE-2017-9735.

Regards,
Salvatore
Reply to: