this bug should be closed. the CERT never applied to jetty 5 (which is what debian uses) and was fixed some time ago in jetty 6 Please see http://docs.codehaus.org/display/JETTY/Jetty+Security Note that it would also be good for debian to upgrade to jetty 6 cheers