-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 03 Jul 2021 19:09:58 +0200 Source: jetty9 Architecture: source Version: 9.4.39-2 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Closes: 989999 990578 Changes: jetty9 (9.4.39-2) unstable; urgency=high . * Team upload. * Fix CVE-2021-28169: It is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. * Fix CVE-2021-34428: If an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. . Thanks to Salvatore Bonaccorso for the report. (Closes: #989999, #990578) Checksums-Sha1: 243a6085339f97a67f0f6fe22cf457b06fbd673f 2750 jetty9_9.4.39-2.dsc dc111ddb55b883e94e7b7466f5c73df91e88b597 34032 jetty9_9.4.39-2.debian.tar.xz 7298bdfc21d956e57802410a44cb9d86cd669c7d 17328 jetty9_9.4.39-2_amd64.buildinfo Checksums-Sha256: cb3fce4e7d6c62fd8f09c9c30e30902428d638ae01b84dee1c51401a8402ed07 2750 jetty9_9.4.39-2.dsc 9711465b5e92138bf7e80bcaba62a2289fcc264af72c80c9e62088010a7d2a3c 34032 jetty9_9.4.39-2.debian.tar.xz b4fe5aea727b3a1cf21688f5d73aad9ec02525bd7f1d232977959e8e1aca5bd8 17328 jetty9_9.4.39-2_amd64.buildinfo Files: 1b9692f19cef994219044cb5bbd055e4 2750 java optional jetty9_9.4.39-2.dsc a772caca130c93bd4d9f2f7d60cacf2e 34032 java optional jetty9_9.4.39-2.debian.tar.xz 0e4723be306d6e0b5b078a4983eb9b3a 17328 java optional jetty9_9.4.39-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmDgm6tfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkjmEP/2Vt7RCFJY800Vyfa4uRYjrU/BUIvP8kq0DD jJbCXJP7vk8A2tAh6ye7fE1MHcZzkrvrl1z0WRkdeWrlUK1tK6mX3mLjeMMpnXKz 9XlN6nNIIp42Kc0Um0FxVCKhmc1di/uNLgbJTO2XpZFN6hxhhSeEirNzQSWT1zi4 aOcOfS1jcXgIs13FV4taJHx1CJi3rJcwAMyk+q2j+QWC7bg0Bpmxu2MIubDDSE9p WchS+ugWw9FWIT3jHQsZlzvMSkwAf6xFMfrfTSLTxrZ0ho/CbifmWA0F9bF78ebj UtVCuXWfUvqFBn0NUags8fm1Qt92Hm0mMwII6A5bUA7hr0PQ20I1Xmt1FepZ6fey KPAoiyKHDC3ivhvIs+SgdIdVFE9U8opg3p7U3GKnoWl5YOngGxI4QtyEWMQOtYqV eV3AIvMJ1J0xjPVO3fEbc+yiosG/NgU90rG1wvo46gGpAqmlA9OiWotg9AJzrbXd LBs2xWf1GnfMdZ7xOEiO95mNkDVcjn+MjkKQfh2rI4r2HDkw7qTRZk2kbklC1afB FQTteftSdBaX5Hg58ICpy1Hua+HWsw6RmhXq96wAgd9qxKjPQdsxDt4D+ghUTn1S lWYLPqY7wXJ/sQi6hi1Y6V0gsTlzkMvf3LdYq/Fy+tYnmLU2llzwZSdpATBtOemF ygwhd6L3 =FV99 -----END PGP SIGNATURE-----