Bug#454529: two more CVEs

Steffen Joeris steffen.joeris at skolelinux.de
Wed Dec 5 22:45:41 UTC 2007


There have been two more CVEs[0][1] for jetty:


Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty 
before 6.1.6rc1 allows remote attackers to inject arbitrary web script or 
HTML via unspecified parameters and cookies.


Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote 
sequences" in HTML cookie parameters, which allows remote attackers to hijack 
browser sessions via unspecified vectors.


[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613

[1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20071205/0a1acdae/attachment.pgp 

More information about the pkg-java-maintainers mailing list