this bug should be closed.
the CERT never applied to jetty 5 (which is what debian uses)
and was fixed some time ago in jetty 6
Please see
http://docs.codehaus.org/display/JETTY/Jetty+Security
Note that it would also be good for debian to upgrade to jetty 6
cheers