Bug#928444: fixed in jetty9 9.4.18-1
tony mancill
tmancill at debian.org
Sun May 26 23:14:56 BST 2019
On Sun, May 26, 2019 at 09:24:30PM +0200, Moritz Mühlenhoff wrote:
> On Mon, May 06, 2019 at 04:19:33AM +0000, tony mancill wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > Format: 1.8
> > Date: Sun, 05 May 2019 19:57:45 -0700
> > Source: jetty9
> > Architecture: source
> > Version: 9.4.18-1
> > Distribution: experimental
> > Urgency: medium
> > Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
> > Changed-By: tony mancill <tmancill at debian.org>
> > Closes: 928444
> > Changes:
> > jetty9 (9.4.18-1) experimental; urgency=medium
> > .
> > * Team upload.
> > * New upstream release
> > - Addresses CVE-2019-10241, CVE-2019-10247 (Closes: #928444)
>
> What's the plan for unstable/buster?
Hi Moritz,
Good question! I uploaded the new version to experimental so users had
at least one option within Debian for addressing those CVEs, but I
haven't looked into what it would take to backport just the CVE patches
to 9.4.15.
Are we deep enough into the freeze that it is reasonable to go ahead and
upload to unstable? (I'm never sure how to judge these things.)
For buster, t-p-u would have a quick turn around, but there are a number
of upstream changes between 9.4.15 and 9.4.18 [1], and I don't have a
good sense for the risk trade-off between the new version and the
backport. Since I haven't handled any of the jetty9 uploads, I would
like to defer to Emmanuel to see if he has a preference.
Thank you,
tony
[1] https://salsa.debian.org/java-team/jetty9/blob/be3f955ab42b5612e1022667216f8453812f5277/VERSION.txt#L1-43
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20190526/d7b26822/attachment.sig>
More information about the pkg-java-maintainers
mailing list