Debian Package Tracker

general

source: jetty9 (main)
version: 9.4.33-1
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Emmanuel Bourg [DMD]
arch: all
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 9.2.21-1+deb9u1
old-sec: 9.2.21-1+deb9u1
old-bpo: 9.2.26-1~bpo9+1
stable: 9.4.15-1
stable-bpo: 9.4.31-1~bpo10+1
testing: 9.4.31-1
unstable: 9.4.33-1

versioned links

9.2.21-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.26-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.4.15-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.4.31-1~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.4.31-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.4.33-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

jetty9 (5 bugs: 2, 3, 0, 0)
libjetty9-extra-java
libjetty9-java

action needed

4 security issues in buster high

There are 4 open security issues in buster.

1 important issue:

CVE-2020-27216:

3 issues skipped by the security teams:

CVE-2019-10241: In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CVE-2019-10247: In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVE-2019-17632: In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.

Please fix them.

Created: 2019-05-04 Last update: 2020-10-24 17:00

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2020-27216:

Please fix it.

Created: 2020-10-23 Last update: 2020-10-24 17:00

lintian reports 1 error and 4 warnings high

Lintian reports 1 error and 4 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-09-21 Last update: 2020-09-21 06:02

Depends on packages which need a new maintainer normal

The packages that jetty9 depends on which need a new maintainer are:

dh-exec (#851746)
- Build-Depends: dh-exec

Created: 2019-11-22 Last update: 2020-10-25 07:33

6 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 218ea25dc13ab39f1fb0f6d31a70d7b86b934fff
Author: Emmanuel Bourg <ebourg@apache.org>
Date:   Thu Oct 22 09:57:24 2020 +0200

    Upload to unstable

commit 75ad8ce97eb3be57c8ccb710fbdd07ac7bb3bb9d
Author: Emmanuel Bourg <ebourg@apache.org>
Date:   Thu Oct 22 09:57:13 2020 +0200

    Removed jetty-overlay-deployer from the list of known modules

commit 515f87ffc1057576e4cd3851cc943380587c505c
Author: Emmanuel Bourg <ebourg@apache.org>
Date:   Thu Oct 22 09:49:38 2020 +0200

    Refreshed the patches

commit 5cd3425a0a1fb902eec34de6d923fb1b4647ad24
Merge: 5f38a269 25dac476
Author: Emmanuel Bourg <ebourg@apache.org>
Date:   Thu Oct 22 09:47:18 2020 +0200

    Update upstream source from tag 'upstream/9.4.33'
    
    Update to upstream version '9.4.33'
    with Debian dir 4dfc22d0b03adfdf0960170423d5be6d88794f0f

commit 25dac4767e93728c25c963b083a4c413488fd212
Author: Emmanuel Bourg <ebourg@apache.org>
Date:   Thu Oct 22 09:47:05 2020 +0200

    New upstream version 9.4.33

commit 2d25cfcc7b4cc07ccdda313ebfecbb345933b04f
Author: Emmanuel Bourg <ebourg@apache.org>
Date:   Thu Oct 22 09:46:42 2020 +0200

    New upstream version 9.4.32

Created: 2020-10-22 Last update: 2020-10-22 16:05

6 ignored security issues in stretch low

There are 6 open security issues in stretch.

6 issues skipped by the security teams:

CVE-2017-9735: Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
CVE-2018-12536: In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
CVE-2019-10241: In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CVE-2019-10247: In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVE-2019-17632: In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.
CVE-2020-27216:

Please fix them.

Created: 2017-06-16 Last update: 2020-10-24 17:00

testing migrations

excuses:
- Migration status for jetty9 (9.4.31-1 to 9.4.33-1): Waiting for test results, another package or too young (no action required now - check later)
- Issues preventing migration:
- Too young, only 3 of 5 days old
- Additional info:
- Piuparts tested OK - https://piuparts.debian.org/sid/source/j/jetty9.html
- Not considered

news

[rss feed]

[2020-10-22] Accepted jetty9 9.4.33-1 (source) into unstable (Emmanuel Bourg)
[2020-09-16] Accepted jetty9 9.4.31-1~bpo10+1 (source) into buster-backports (Emmanuel Bourg)
[2020-09-08] jetty9 9.4.31-1 MIGRATED to testing (Debian testing watch)
[2020-09-03] Accepted jetty9 9.4.31-1 (source) into unstable (Emmanuel Bourg)
[2020-06-02] jetty9 9.4.29-1 MIGRATED to testing (Debian testing watch)
[2020-05-27] Accepted jetty9 9.4.29-1 (source) into unstable (Emmanuel Bourg)
[2020-05-27] Accepted jetty9 9.4.28-1~bpo10+1 (source all) into buster-backports (Emmanuel Bourg)
[2020-04-19] jetty9 9.4.28-1 MIGRATED to testing (Debian testing watch)
[2020-04-13] Accepted jetty9 9.4.28-1 (source) into unstable (Emmanuel Bourg)
[2020-04-11] jetty9 9.4.27-1 MIGRATED to testing (Debian testing watch)
[2020-04-05] Accepted jetty9 9.4.27-1 (source) into unstable (Emmanuel Bourg)
[2020-03-03] Accepted jetty9 9.4.26-1~bpo10+1 (source all) into buster-backports, buster-backports (Debian FTP Masters) (signed by: Emmanuel Bourg)
[2020-02-02] jetty9 9.4.26-1 MIGRATED to testing (Debian testing watch)
[2020-01-27] Accepted jetty9 9.4.26-1 (source) into unstable (Emmanuel Bourg)
[2019-07-18] jetty9 9.4.18-2 MIGRATED to testing (Debian testing watch)
[2019-07-13] Accepted jetty9 9.4.18-2 (source) into unstable (tony mancill)
[2019-05-06] Accepted jetty9 9.4.18-1 (source) into experimental (tony mancill)
[2019-03-07] jetty9 9.4.15-1 MIGRATED to testing (Debian testing watch)
[2019-02-25] Accepted jetty9 9.4.15-1 (source) into unstable (Emmanuel Bourg)
[2018-12-16] jetty9 9.4.14-1 MIGRATED to testing (Debian testing watch)
[2018-12-10] Accepted jetty9 9.4.14-1 (source) into unstable (Emmanuel Bourg)
[2018-12-04] Accepted jetty9 9.2.26-1~bpo9+1 (source all) into stretch-backports (Emmanuel Bourg)
[2018-09-10] jetty9 9.2.26-1 MIGRATED to testing (Debian testing watch)
[2018-09-05] Accepted jetty9 9.2.26-1 (source) into unstable (Emmanuel Bourg)
[2018-08-24] Accepted jetty9 9.2.21-1+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2018-08-19] Accepted jetty9 9.2.21-1+deb9u1 (source all) into stable->embargoed, stable (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2018-07-09] jetty9 9.2.25-1 MIGRATED to testing (Debian testing watch)
[2018-07-03] Accepted jetty9 9.2.25-1 (source) into unstable (Emmanuel Bourg)
[2018-05-30] Accepted jetty9 9.2.24-1~bpo9+1 (source all) into stretch-backports (Emmanuel Bourg)
[2018-05-23] jetty9 9.2.24-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 5
RC: 2
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (1, 4)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.4.29-1
5 bugs