Bug#864631: unblock: jetty9/9.2.22-1
Control: tags -1 - moreinfo
Hi Adam,
On Sat, Jun 17, 2017 at 05:32:07PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
>
> Hi,
>
> On Sun, 2017-06-11 at 23:33 +0200, Emmanuel Bourg wrote:
> > This is a pre-upload request to unblock jetty9/9.2.22-1. This update fixes
> > a timing attack in a class checking passwords (no CVE ID has been assigned yet)
> > and removes a broken symlink (#857217).
> >
> > Note that Jetty 9.2.x is in maintenance mode and receives only critical fixes
> > from upstream, that's why I'm suggesting to upload a new version (it mostly
> > consists in the security fix anyway).
>
> Sorry that this didn't get picked up before the release.
>
> From your comment above, I assume the plan is to get a newer upstream
> version of Jetty into unstable soon? If so, then how we proceed with
> fixing this in stretch depends on whether the Security Team plan to
> handle it via a DSA; CCing them for an opinion.
Sorry for the delay. No we marked the issue as no-dsa, and the fix
should preferably go in via a point release.
The CVE is CVE-2017-9735.
Regards,
Salvatore
Reply to: