Bug#1085698: jetty9: CVE-2024-6763

Markus Koschany apo at debian.org
Tue Apr 1 19:06:31 BST 2025


According to upstream jetty9 server and client are not affected or more
specifically, quote:

"Jetty 9 doesn't even have a UriCompliance, nor is it RFC9110. This PR in Jetty
9 makes no sense. We cannot force RFC9110 on Jetty 9 users, and the Jetty 9
users have no means to configure this UriCompliance rule it once it is
implemented."

This is more of an issue how browsers and jetty use different conventions to
parse a URI. The solution for jetty12 is to deprecate a part of a newer
specification which jetty9 does not even use.

This can't be properly addressed in Jetty 9.

I keep this issue open for further reference


    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20250401/b7df853d/attachment-0001.sig>


More information about the pkg-java-maintainers mailing list