[Git][security-tracker-team/security-tracker][master] jetty/jetty8: mark remaining CVEs <ignored>

Hugo Lefeuvre hle at debian.org
Sat Sep 8 21:24:21 BST 2018 

Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a76f2e7a by Hugo Lefeuvre at 2018-09-08T20:22:42Z
jetty/jetty8: mark remaining CVEs <ignored>

Exploit may have significant impact but requires very specific
conditions which makes it very unlikely. I could not reproduce any of
these issues on jetty and jetty8. Furthermore fixing these issues in
8.x branches and older is going to be very time expensive according to
upstream.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -10261,7 +10261,9 @@ CVE-2018-12536 (In Eclipse Jetty Server, all 9.x versions, on webapps deployed u
 	- jetty9 9.2.25-1 (low; bug #902774)
 	[stretch] - jetty9 <ignored> (Harmless information leak)
 	- jetty8 <removed>
+	[jessie] - jetty8 <ignored> (Harmless information leak)
 	- jetty <removed>
+	[jessie] - jetty <ignored> (Harmless information leak)
 	NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670
 CVE-2018-12535
 	RESERVED
@@ -74703,21 +74705,28 @@ CVE-2017-7659 (A maliciously constructed HTTP/2 request could cause mod_http2 2.
 CVE-2017-7658 (In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non ...)
 	{DSA-4278-1}
 	- jetty <removed>
+	[jessie] - jetty <ignored> (very hard to exploit, complex patch)
 	- jetty8 <removed>
+	[jessie] - jetty8 <ignored> (very hard to exploit, complex patch)
 	- jetty9 9.2.25-1 (low; bug #902953)
 	NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669
 	NOTE: https://github.com/eclipse/jetty.project/commit/a285deea
+	NOTE: Exploit very unlikely, needs a very particular intermediary behaviour.
 CVE-2017-7657 (In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all ...)
 	{DSA-4278-1}
 	- jetty <removed>
+	[jessie] - jetty <ignored> (very hard to exploit, complex patch)
 	- jetty8 <removed>
+	[jessie] - jetty8 <ignored> (very hard to exploit, complex patch)
 	- jetty9 9.2.25-1 (low; bug #902953)
 	NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
 	NOTE: https://github.com/eclipse/jetty.project/commit/a285deea
 CVE-2017-7656 (In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all ...)
 	{DSA-4278-1}
 	- jetty <removed>
+	[jessie] - jetty <ignored> (very hard to exploit, complex patch)
 	- jetty8 <removed>
+	[jessie] - jetty8 <ignored> (very hard to exploit, complex patch)
 	- jetty9 9.2.25-1 (low; bug #902953)
 	NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667
 	NOTE: https://github.com/eclipse/jetty.project/commit/a285deea


=====================================
data/dla-needed.txt
=====================================
@@ -29,20 +29,6 @@ glusterfs
 gnutls28 (Ola Lundqvist)
   NOTE: 20180824: Upstream patch is quite invasive, adding new options etc. (lamby)
 --
-jetty (Hugo Lefeuvre)
-  NOTE: 20180702: jetty8 almost never marked as affected whereas jetty and jetty9 are. Reason ?
-  NOTE: 20180702: CVE-2018-12536 fixed in latest upstream release. Looks like upstream
-  NOTE: 20180702: voluntarily obfuscated the issue (fix hidden in unrelated changes).
-  NOTE: 20180702: Fix (9.4.x): a51920d650d924cc2cea011995624b394437c6e0
-  NOTE: 20180702:     (9.3.x): 53e8bc2a636707e896fd106fbee3596823c2cdc9 (closer to Debian versions)
-  NOTE: 20180702: check before putting in the tracker.
-  NOTE: 20180702: jetty:  doesn't seem to be affected (Wheezy + Jessie)
-  NOTE: 20180702: jetty8: still need to check (Wheezy + Jessie)
-  NOTE: 20180702: jetty9: affected, will provide patches for stretch and testing
-  NOTE: 20180716: can't reproduce CVE-2018-12536, e-mailed upstream for more information
---
-jetty8 (Hugo Lefeuvre)
---
 kamailio (Chris Lamb)
 --
 kdepim



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a76f2e7ac67bd0fd741a7200c280b605fd358241

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a76f2e7ac67bd0fd741a7200c280b605fd358241
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180908/10b0e3c8/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list