Debian Package Tracker

general

source: jetty9 (main)
version: 9.4.18-2
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Emmanuel Bourg [DMD]
arch: all
std-ver: 4.4.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 9.2.21-1+deb9u1
old-sec: 9.2.21-1+deb9u1
old-bpo: 9.2.26-1~bpo9+1
stable: 9.4.15-1
testing: 9.4.18-2
unstable: 9.4.18-2

versioned links

9.2.21-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.26-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.4.15-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.4.18-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

jetty9 (5 bugs: 2, 3, 0, 0)
libjetty9-extra-java
libjetty9-java

action needed

A new upstream version is available: 9.4.26 high

A new upstream version 9.4.26 is available, you should consider packaging it.

Created: 2019-04-13 Last update: 2020-01-26 19:50

3 security issues in bullseye high

There are 3 open security issues in bullseye.

3 important issues:

CVE-2019-10241: In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CVE-2019-10247: In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVE-2019-17632: In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.

Please fix them.

Created: 2019-07-07 Last update: 2019-11-27 14:26

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2019-10241: In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CVE-2019-10247: In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVE-2019-17632: In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.

Please fix them.

Created: 2019-05-04 Last update: 2019-11-27 14:26

Depends on packages which need a new maintainer normal

The packages that jetty9 depends on which need a new maintainer are:

apache2 (#910917)
- Depends: apache2-utils
dh-exec (#851746)
- Build-Depends: dh-exec

Created: 2019-11-22 Last update: 2020-01-26 21:03

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-09-01 Last update: 2019-09-01 15:13

3 ignored security issues in buster low

There are 3 open security issues in buster.

3 issues skipped by the security teams:

CVE-2019-10241: In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CVE-2019-10247: In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVE-2019-17632: In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.

Please fix them.

Created: 2019-05-04 Last update: 2019-11-27 14:26

5 ignored security issues in stretch low

There are 5 open security issues in stretch.

5 issues skipped by the security teams:

CVE-2018-12536: In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
CVE-2019-10241: In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CVE-2019-10247: In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVE-2017-9735: Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
CVE-2019-17632: In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.

Please fix them.

Created: 2017-06-16 Last update: 2019-11-27 14:26

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.0 instead of 4.4.0).

Created: 2019-09-29 Last update: 2020-01-21 05:06

news

[rss feed]

[2019-07-18] jetty9 9.4.18-2 MIGRATED to testing (Debian testing watch)
[2019-07-13] Accepted jetty9 9.4.18-2 (source) into unstable (tony mancill)
[2019-05-06] Accepted jetty9 9.4.18-1 (source) into experimental (tony mancill)
[2019-03-07] jetty9 9.4.15-1 MIGRATED to testing (Debian testing watch)
[2019-02-25] Accepted jetty9 9.4.15-1 (source) into unstable (Emmanuel Bourg)
[2018-12-16] jetty9 9.4.14-1 MIGRATED to testing (Debian testing watch)
[2018-12-10] Accepted jetty9 9.4.14-1 (source) into unstable (Emmanuel Bourg)
[2018-12-04] Accepted jetty9 9.2.26-1~bpo9+1 (source all) into stretch-backports (Emmanuel Bourg)
[2018-09-10] jetty9 9.2.26-1 MIGRATED to testing (Debian testing watch)
[2018-09-05] Accepted jetty9 9.2.26-1 (source) into unstable (Emmanuel Bourg)
[2018-08-24] Accepted jetty9 9.2.21-1+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2018-08-19] Accepted jetty9 9.2.21-1+deb9u1 (source all) into stable->embargoed, stable (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2018-07-09] jetty9 9.2.25-1 MIGRATED to testing (Debian testing watch)
[2018-07-03] Accepted jetty9 9.2.25-1 (source) into unstable (Emmanuel Bourg)
[2018-05-30] Accepted jetty9 9.2.24-1~bpo9+1 (source all) into stretch-backports (Emmanuel Bourg)
[2018-05-23] jetty9 9.2.24-1 MIGRATED to testing (Debian testing watch)
[2018-05-17] Accepted jetty9 9.2.24-1 (source) into unstable (Emmanuel Bourg)
[2018-03-06] Accepted jetty9 9.2.23-1~bpo8+1 (source all) into jessie-backports-sloppy, jessie-backports-sloppy (Emmanuel Bourg)
[2018-01-24] Accepted jetty9 9.2.23-1~bpo9+1 (source all) into stretch-backports, stretch-backports (Emmanuel Bourg)
[2018-01-11] jetty9 9.2.23-1 MIGRATED to testing (Debian testing watch)
[2018-01-11] jetty9 9.2.23-1 MIGRATED to testing (Debian testing watch)
[2018-01-05] Accepted jetty9 9.2.23-1 (source) into unstable (Emmanuel Bourg)
[2017-12-20] jetty9 9.2.22-3 MIGRATED to testing (Debian testing watch)
[2017-12-14] Accepted jetty9 9.2.22-3 (source) into unstable (Emmanuel Bourg)
[2017-07-10] jetty9 9.2.22-2 MIGRATED to testing (Debian testing watch)
[2017-07-04] Accepted jetty9 9.2.22-2 (source) into unstable (Emmanuel Bourg)
[2017-06-25] jetty9 9.2.22-1 MIGRATED to testing (Debian testing watch)
[2017-06-19] Accepted jetty9 9.2.22-1 (source) into unstable (Emmanuel Bourg)
[2017-04-22] Accepted jetty9 9.2.21-1~bpo8+1 (source all) into jessie-backports->backports-policy, jessie-backports (Emmanuel Bourg)
[2017-02-05] jetty9 9.2.21-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 5
RC: 2
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 2)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.4.18-2build2
4 bugs