Debian Package Tracker

general

source: jetty9 (main)
version: 9.4.15-1
maintainer: Debian Java Maintainers (archive) [DMD]
uploaders: Emmanuel Bourg [DMD]
arch: all
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 9.2.21-1+deb9u1
stable-sec: 9.2.21-1+deb9u1
stable-bpo: 9.2.26-1~bpo9+1
testing: 9.4.15-1
unstable: 9.4.15-1
exp: 9.4.18-1

versioned links

9.2.21-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.26-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.4.15-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.4.18-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

jetty9 (5 bugs: 2, 3, 0, 0)
libjetty9-extra-java
libjetty9-java

action needed

A new upstream version is available: 9.4.19 high

A new upstream version 9.4.19 is available, you should consider packaging it.

Created: 2019-04-13 Last update: 2019-06-26 10:32

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2019-10247: In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVE-2019-10241: In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Please fix them.

Created: 2019-05-04 Last update: 2019-06-14 14:00

lintian reports 1 error and 2 warnings high

Lintian reports 1 error and 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-03-14 Last update: 2019-03-14 13:03

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 9.4.18-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 2ce87f90cd86ad31bc7d407d9e2502dd4f657647
Author: tony mancill <tmancill@debian.org>
Date:   Sun May 12 09:23:11 2019 -0700

    interim changelog

commit 2d543abc37e3d24e0bdd3e4de3f24fbe8ed4f0ad
Author: tony mancill <tmancill@debian.org>
Date:   Sun May 12 09:17:05 2019 -0700

    Add dependency on libecj-java (Closes: #924168)

Created: 2019-05-12 Last update: 2019-06-26 15:31

Depends on packages which need a new maintainer normal

The packages that jetty9 depends on which need a new maintainer are:

lsb (#924519)
- Depends: lsb-base
apache2 (#910917)
- Depends: apache2-utils
dh-exec (#851746)
- Build-Depends: dh-exec

Created: 2017-12-02 Last update: 2019-06-26 14:50

2 ignored security issues in buster low

There are 2 open security issues in buster.

2 issues skipped by the security teams:

CVE-2019-10247: In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVE-2019-10241: In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Please fix them.

Created: 2019-05-04 Last update: 2019-06-14 14:00

4 ignored security issues in stretch low

There are 4 open security issues in stretch.

4 issues skipped by the security teams:

CVE-2018-12536: In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
CVE-2019-10247: In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVE-2019-10241: In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CVE-2017-9735: Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Please fix them.

Created: 2017-06-16 Last update: 2019-06-14 14:00

news

[rss feed]

[2019-05-06] Accepted jetty9 9.4.18-1 (source) into experimental (tony mancill)
[2019-03-07] jetty9 9.4.15-1 MIGRATED to testing (Debian testing watch)
[2019-02-25] Accepted jetty9 9.4.15-1 (source) into unstable (Emmanuel Bourg)
[2018-12-16] jetty9 9.4.14-1 MIGRATED to testing (Debian testing watch)
[2018-12-10] Accepted jetty9 9.4.14-1 (source) into unstable (Emmanuel Bourg)
[2018-12-04] Accepted jetty9 9.2.26-1~bpo9+1 (source all) into stretch-backports (Emmanuel Bourg)
[2018-09-10] jetty9 9.2.26-1 MIGRATED to testing (Debian testing watch)
[2018-09-05] Accepted jetty9 9.2.26-1 (source) into unstable (Emmanuel Bourg)
[2018-08-24] Accepted jetty9 9.2.21-1+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2018-08-19] Accepted jetty9 9.2.21-1+deb9u1 (source all) into stable->embargoed, stable (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2018-07-09] jetty9 9.2.25-1 MIGRATED to testing (Debian testing watch)
[2018-07-03] Accepted jetty9 9.2.25-1 (source) into unstable (Emmanuel Bourg)
[2018-05-30] Accepted jetty9 9.2.24-1~bpo9+1 (source all) into stretch-backports (Emmanuel Bourg)
[2018-05-23] jetty9 9.2.24-1 MIGRATED to testing (Debian testing watch)
[2018-05-17] Accepted jetty9 9.2.24-1 (source) into unstable (Emmanuel Bourg)
[2018-03-06] Accepted jetty9 9.2.23-1~bpo8+1 (source all) into jessie-backports-sloppy, jessie-backports-sloppy (Emmanuel Bourg)
[2018-01-24] Accepted jetty9 9.2.23-1~bpo9+1 (source all) into stretch-backports, stretch-backports (Emmanuel Bourg)
[2018-01-11] jetty9 9.2.23-1 MIGRATED to testing (Debian testing watch)
[2018-01-11] jetty9 9.2.23-1 MIGRATED to testing (Debian testing watch)
[2018-01-05] Accepted jetty9 9.2.23-1 (source) into unstable (Emmanuel Bourg)
[2017-12-20] jetty9 9.2.22-3 MIGRATED to testing (Debian testing watch)
[2017-12-14] Accepted jetty9 9.2.22-3 (source) into unstable (Emmanuel Bourg)
[2017-07-10] jetty9 9.2.22-2 MIGRATED to testing (Debian testing watch)
[2017-07-04] Accepted jetty9 9.2.22-2 (source) into unstable (Emmanuel Bourg)
[2017-06-25] jetty9 9.2.22-1 MIGRATED to testing (Debian testing watch)
[2017-06-19] Accepted jetty9 9.2.22-1 (source) into unstable (Emmanuel Bourg)
[2017-04-22] Accepted jetty9 9.2.21-1~bpo8+1 (source all) into jessie-backports->backports-policy, jessie-backports (Emmanuel Bourg)
[2017-02-05] jetty9 9.2.21-1 MIGRATED to testing (Debian testing watch)
[2017-02-05] jetty9 9.2.21-1 MIGRATED to testing (Debian testing watch)
[2017-01-25] Accepted jetty9 9.2.21-1 (source all) into unstable (Emmanuel Bourg)

bugs [bug history graph]

all: 6
RC: 2
I&N: 3
M&W: 0
F&P: 1
patch: 0

links

homepage
lintian (1, 2)
buildd: logs, exp, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.4.15-1
4 bugs