Jetty security issue?

Moritz Muehlenhoff jmm at inutil.org
Thu Oct 4 20:55:50 UTC 2007 

Hi Greg,

> I have been contacted by a Nico Golde @ debian.org asking
> about the availability of a fix for a security vulnerability for
> the debian package of Jetty but that the maintainers had
> no time to fix it.
>   
>   http://securitytracker.com/alerts/2006/May/1016168.html
> 
> I was totally unaware of any debian packages of Jetty and replied
> to Nico asking if I could be put in contact with the package 
> maintainers.
> 
> Nico then replied with attitude that I was wasting his time
> because I hadn't told him if a specific version was 
> vulnerable (5.0.10 - which is not the packaged version).
> As I have no idea how these packages have been built or 
> configured - I can't say if they are vulnerable or not

Indeed, such checks should be done by the Debian maintainers
and not by you.

> I don't have any knowledge of how debian processes work
> nor if Nico was approaching us in any official capacity.
> I don't know if the debian Jetty packages are officially
> part of debian or not?

Jetty has entered Debian very recently and is not yet part of
a stable Debian release, so there's not yet the need for full
security support, only for ensuring all outstanding security
bugs are fixes for the upcoming release and for addressing
security problems in the development releases.

Right now, Jetty depends on the non-free Java implementations,
resulting it to be part of the "contrib" section in the archive.
This means that although Jetty itself is free software, it is
not a fully supported piece of software and does not receive
security updates. However, since this will most likely change before
the next Debian release (either with OpenJDK or by one of the
other free Java runtimes), we will likely  provide security
support beginning with the release of Debian Lenny, expected
in the fourth quarter of 2008. Once that has happened we're
welcoming your help to ensure security support for Jetty.

In general it is much appreciated if you provide information about
security problems directly on your website, so that it's
easier for users and distributors to track them, like e.g.
http://httpd.apache.org/security/vulnerabilities_22.html
 
Cheers,
        Moritz

More information about the pkg-java-maintainers mailing list