-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 12 Apr 2021 00:11:03 +0200 Source: jetty9 Architecture: source Version: 9.4.39-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebourg@apache.org> Changes: jetty9 (9.4.39-1) unstable; urgency=high . * New upstream release - Fixed CVE-2021-28163: If a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory. - Fixes CVE-2021-28164: The default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. This can reveal sensitive information regarding the implementation of a web application. - Fixes CVE-2021-28165: CPU usage can reach 100% upon receiving a large invalid TLS frame. Checksums-Sha1: 4fbe4f6a64d8691ff1c5419a0ea093f21a785e94 2624 jetty9_9.4.39-1.dsc 00c84ba82fe5d5627b7c7a64c4cef9534c62ab13 11146440 jetty9_9.4.39.orig.tar.xz d1a83dd7db0fc4fe5d10fba1c4b1b3dfcf3fbf8e 28584 jetty9_9.4.39-1.debian.tar.xz 2ea6b44f4f6591e8064cd41ce09d312ef07bf83e 16811 jetty9_9.4.39-1_source.buildinfo Checksums-Sha256: 38867adccea8670da01d711d4ac1acea0db5a0bbc60cabcc56fc8ccff668215b 2624 jetty9_9.4.39-1.dsc 8f59dbfd0663b23adca26a01914fa57e7a8cad27d595af457b4dda02d9cfefb3 11146440 jetty9_9.4.39.orig.tar.xz 3c00a370eb3851cc803292106f04c21eabc2ad57cc4f53cd44241df699ea0f6a 28584 jetty9_9.4.39-1.debian.tar.xz a35de27d8ce66000c90dd296b3ad537c51527880fdcdff7fe76c0b43bda351d5 16811 jetty9_9.4.39-1_source.buildinfo Files: 81149abf1e4431aa92a8575dfee02b11 2624 java optional jetty9_9.4.39-1.dsc 9be2d26f25e65b8d223d3546ee848ccc 11146440 java optional jetty9_9.4.39.orig.tar.xz f48700acc3f9778076b51a0b9c89a475 28584 java optional jetty9_9.4.39-1.debian.tar.xz 3ea97a44326df789ac52c4d8a8572618 16811 java optional jetty9_9.4.39-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAmB2F3kSHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCsZMkP/1D914z2YIerD7YUtjn3fH6S9SltEvfk 1fg8SnsRUy5xYGxR+nVxGmn7VwXZAWSqdfcLa/jELWwWQbMwOdmSj1h6GdOjaW/+ aqJqd1jYifoprwOw67vAFruGpfo7bFfUKIR63krIVOiddkaqcR3DwqP+1vlFleYI Cx049aub3t+pYM5d4gx47OpWWPq+JRJcpJ1YqUS1OaIdSzK9IqAFSutpokxdnSuy PU2lRFRjZYECRkGxzjaVbaxxNLos8JLXpeRkFhtIHvOAekesYRxXItmSCx0d7sUN Pco2TO0AiIJ7fVIg3MiOF84K4SnucrLRSYizGB1FGoYNceWlvF7OZF2KdHP/+kiN HySg4/D1bHw0ZV/WQxS3dY8LB6GFw3XAIMl5Qt8fdHfIWzm9o+dhxbk2SQm41oo+ 1AqBj0ofln/+H75LYlFQ5mZayVGyz8a6lNXfxf21o/py+WRzO6XkMLHPsZIwAZ1A nLddVhk0WLci5gYMHqXF+gprh/L3DeczgtDYkC5iCAuAQygiyVq9OY4GSfCJt7R3 PHFxAcceH+/+ZmKFU7H9sCO91ia+ZzXKsFzCviBivd+An9bgeKDMinm1CLfF5BBU yyq5VnOCFLWXQGftFaLi5dRtaoWdaZgiL9429IAshuU9sl8zpiIS7X1JMj8JhUsR oMpwENolxXKd =r20u -----END PGP SIGNATURE-----