[Git][security-tracker-team/security-tracker][master] Add CVE-2018-12545/jetty9

Sat Apr 6 09:02:07 BST 2019


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
27c2c080 by Salvatore Bonaccorso at 2019-04-06T08:01:23Z
Add CVE-2018-12545/jetty9

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -46595,7 +46595,12 @@ CVE-2018-12546 (In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a cli
 	NOTE: https://mosquitto.org/blog/2019/02/version-1-5-6-released/
 	NOTE: https://mosquitto.org/files/cve/2018-12546
 CVE-2018-12545 (In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to  ...)
-	TODO: check
+	- jetty9 <not-affected> (Vulnerable code never present in Debian released version)
+	NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096
+	NOTE: Issue is not present in 9.2.x as there is no HTTP/2 support. Fixed upstream
+	NOTE: in 9.4.12. Debian package moved directly to 9.4.14-1 containing the fix and
+	NOTE: thus never including in unstable a vulnerable version.
+	NOTE: Cf. https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096#c7
 CVE-2018-12544 (In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML  ...)
 	NOT-FOR-US: Eclipse Vert.x
 CVE-2018-12543 (In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/27c2c080ba372e87c51f9ef71d027c96fb7da8cb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/27c2c080ba372e87c51f9ef71d027c96fb7da8cb
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190406/07014137/attachment-0001.html>
