Jetty security issue?
Greg Wilkins
gregw at webtide.com
Wed Oct 3 22:57:41 UTC 2007
Hi security team and Jetty package maintainers,
I'm the main developer of the Jetty Java HTTP Server.
I have been contacted by a Nico Golde @ debian.org asking
about the availability of a fix for a security vulnerability for
the debian package of Jetty but that the maintainers had
no time to fix it.
http://securitytracker.com/alerts/2006/May/1016168.html
I was totally unaware of any debian packages of Jetty and replied
to Nico asking if I could be put in contact with the package
maintainers.
Nico then replied with attitude that I was wasting his time
because I hadn't told him if a specific version was
vulnerable (5.0.10 - which is not the packaged version).
As I have no idea how these packages have been built or
configured - I can't say if they are vulnerable or not
I don't have any knowledge of how debian processes work
nor if Nico was approaching us in any official capacity.
I don't know if the debian Jetty packages are officially
part of debian or not?
I don't really appreciate being accused of wasting the
time of others simply because they have taken my
software and then can't be bothered to maintain it
(I don't know if that is the case, but it is how it
was represented by Nico).
I have put the effort in to develop the package and
to quickly respond to all security vulnerabilities
that I have received. I don't see that I should
be expected to provide the extra effort to help every
distributor include those fixes, if they are not
prepared to help me.
However, if somebody without attitude who knows about
debian wants to work with me, then I would be VERY please
to help make non-vulnerable packages of Jetty available
via debian.
regards
More information about the pkg-java-maintainers
mailing list