[Git][security-tracker-team/security-tracker][master] CVE-2024-6763,jetty9: mark bookworm and bullseye as ignored
Markus Koschany (@apo)
apo at debian.org
Tue Apr 1 19:03:09 BST 2025
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c3862ef0 by Markus Koschany at 2025-04-01T20:02:58+02:00
CVE-2024-6763,jetty9: mark bookworm and bullseye as ignored
According to upstream jetty9 server and client are not affected or more
specifically, quote:
"Jetty 9 doesn't even have a UriCompliance, nor is it RFC9110. This PR in Jetty
9 makes no sense. We cannot force RFC9110 on Jetty 9 users, and the Jetty 9
users have no means to configure this UriCompliance rule it once it is
implemented."
This is more of an issue how browsers and jetty use different conventions to
parse a URI. The solution for jetty12 is to deprecate a part of a newer
specification which jetty9 does not even use.
This can't be properly addressed in Jetty 9.
https://github.com/jetty/jetty.project/pull/12012#issuecomment-2416450253
and followups.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -53665,6 +53665,8 @@ CVE-2024-7847 (VULNERABILITY DETAILS Rockwell Automation used the latest versio
NOT-FOR-US: Rockwell Automation
CVE-2024-6763 (Eclipse Jetty is a lightweight, highly scalable, Java-based web server ...)
- jetty9 <unfixed> (bug #1085698)
+ [bookworm] - jetty9 <ignored> (Minor issue)
+ [bullseye] - jetty9 <ignored> (Minor issue)
- jetty <removed>
NOTE: https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh
NOTE: https://github.com/jetty/jetty.project/pull/12012
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3862ef0825ea46b0a9f38f18ff8d3c36c48de11
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3862ef0825ea46b0a9f38f18ff8d3c36c48de11
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250401/66b92083/attachment.htm>
More information about the debian-security-tracker-commits
mailing list