Bug#393073: jetty should not reenter testing until some security
issues have been checked
Stefan Fritsch
sf at sfritsch.de
Sat Oct 14 20:17:07 UTC 2006
Package: jetty
Version: 5.1.10-2
Severity: grave
Tags: security
Some security issues have been found in jetty 6:
CVE-2006-2759:
jetty 6.0.x (jetty6) beta16 allows remote attackers to read
arbitrary script source code via a capital P in the .jsp extension,
and probably other mixed case manipulations.
CVE-2006-2758:
Directory traversal vulnerability in jetty 6.0.x (jetty6) beta16
allows remote attackers to read arbitrary files via a %2e%2e%5c
(encoded ../) in the URL.
A request to the maintainers to verify that they are not in present in
jetty 5 has not been answered. Jetty should not reenter testing until
these issues are checked.
PS: The changes file of 5.1.10-2 was quite broken, some of the bugs were
not marked as closed.
More information about the pkg-java-maintainers
mailing list