[Git][security-tracker-team/security-tracker][master] Reserve DLA-2560-1 for jetty9

Sylvain Beucler (@beuc) beuc at debian.org
Fri May 14 14:16:48 BST 2021



Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d5b791b9 by Sylvain Beucler at 2021-05-14T15:16:10+02:00
Reserve DLA-2560-1 for jetty9

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -44072,7 +44072,6 @@ CVE-2020-27217 (In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapte
 	NOT-FOR-US: Eclipse Hono
 CVE-2020-27216 (In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thr ...)
 	- jetty9 9.4.33-1
-	[stretch] - jetty9 <no-dsa> (Minor issue)
 	- jetty8 <removed>
 	- jetty <removed>
 	NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921
@@ -139073,7 +139072,6 @@ CVE-2019-10247 (In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and
 	[experimental] - jetty9 9.4.18-1
 	- jetty9 9.4.18-2 (bug #928444)
 	[buster] - jetty9 <no-dsa> (Minor issue)
-	[stretch] - jetty9 <no-dsa> (Minor issue)
 	- jetty8 <removed>
 	[jessie] - jetty8 <no-dsa> (Minor issue)
 	- jetty <removed>
@@ -139098,7 +139096,6 @@ CVE-2019-10241 (In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and
 	[experimental] - jetty9 9.4.18-1
 	- jetty9 9.4.18-2 (bug #928444)
 	[buster] - jetty9 <no-dsa> (Minor issue)
-	[stretch] - jetty9 <no-dsa> (Minor issue)
 	- jetty8 <removed>
 	[jessie] - jetty8 <no-dsa> (Minor issue)
 	- jetty <removed>
@@ -186885,7 +186882,6 @@ CVE-2018-12537 (In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response
 	NOT-FOR-US: Eclipse Vertx
 CVE-2018-12536 (In Eclipse Jetty Server, all 9.x versions, on webapps deployed using d ...)
 	- jetty9 9.2.25-1 (low; bug #902774)
-	[stretch] - jetty9 <ignored> (Harmless information leak)
 	- jetty8 <removed>
 	[jessie] - jetty8 <ignored> (Harmless information leak)
 	- jetty <removed>
@@ -245513,7 +245509,6 @@ CVE-2017-9726 (The Ins_MDRP function in base/ttinterp.c in Artifex Ghostscript G
 CVE-2017-9735 (Jetty through 9.4.x is prone to a timing channel in util/security/Pass ...)
 	{DLA-1021-1 DLA-1020-1}
 	- jetty9 9.2.22-1 (bug #864898)
-	[stretch] - jetty9 <ignored> (Harmless information leak)
 	- jetty8 <removed>
 	[jessie] - jetty8 <no-dsa> (Minor issue)
 	- jetty <removed>


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[14 May 2021] DLA-2661-1 jetty9 - security update
+	{CVE-2017-9735 CVE-2018-12536 CVE-2019-10241 CVE-2019-10247 CVE-2020-27216}
+	[stretch] - jetty9 9.2.30-0+deb9u1
 [13 May 2021] DLA-2660-1 libgetdata - security update
 	{CVE-2021-20204}
 	[stretch] - libgetdata 0.9.4-1+deb9u1


=====================================
data/dla-needed.txt
=====================================
@@ -67,9 +67,6 @@ imagemagick (Anton Gladky)
   NOTE: 20210415: Tracker records as vulnerable to CVE-2021-20312, but parts of
   NOTE: 20210415: patch already partly covered; needs investigation. (lamby)
 --
-jetty9 (Sylvain Beucler)
-  NOTE: 20210507: fixing FTBFS due to newer tomcat8, upgrading to 9.2.30, backporting other fixes (Beuc)
---
 libimage-exiftool-perl (Utkarsh)
 --
 libwebp (Anton Gladky)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5b791b93ffe1bcfa62408897253565adb4b2f9d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5b791b93ffe1bcfa62408897253565adb4b2f9d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210514/5e45acb2/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list