Bug#902774: jetty/jetty8/jetty9 not affected by CVE-2018-12538
Hugo Lefeuvre
hle at debian.org
Sun Jul 1 21:23:31 BST 2018
Hi,
FYI, none of the jetty releases present in Debian are affected by
CVE-2018-12538.
CVE-2018-12538 affects FileSessionDataStore and more specifically its
function getFile(). This class was introduced in 9.4, this
vulnerability thus affects 9.4.x releases only (and jetty package has
version < 9.0, jetty9 has <= 9.2.24).
FTR FileSessionDataStore was introduced in
fa8232d3c81608c25d9e8c66cdfe8ab7a66c892b and the vulnerable code in
54a56314627f0a2c33ca67d813e3396f6bc03274.
regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
More information about the pkg-java-maintainers
mailing list