Debian Bug report logs -
#462793
jetty5: CVE-2007-6672 unauthorized disclosure of information
Reported by: Nico Golde <nion@debian.org>
Date: Sun, 27 Jan 2008 15:27:01 UTC
Severity: grave
Tags: security
Done: "Damien Raude-Morvan" <drazzib@drazzib.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#462793; Package jetty5.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: jetty5
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for jetty5.
CVE-2007-6672[0]:
| Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass
| protection mechanisms and read the source of files via multiple '/'
| (slash) characters in the URI.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6672
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#462793; Package jetty5.
(full text, mbox, link).
Acknowledgement sent to Martin Michlmayr <tbm@cyrius.com>:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org.
(full text, mbox, link).
Message #10 received at 462793@bugs.debian.org (full text, mbox, reply):
* Nico Golde <nion@debian.org> [2008-01-27 16:25]:
> Source: jetty5
There's no such package?
--
Martin Michlmayr
http://www.cyrius.com/
Information forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#462793; Package jetty5.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org.
(full text, mbox, link).
Message #15 received at 462793@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
reassign 462793 jetty
thanks
Hi,
* Martin Michlmayr <tbm@cyrius.com> [2008-01-28 15:05]:
> * Nico Golde <nion@debian.org> [2008-01-27 16:25]:
> > Source: jetty5
>
> There's no such package?
Thanks for the hint. How did you notice it?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug reassigned from package `jetty5' to `jetty'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 28 Jan 2008 20:51:05 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#462793; Package jetty.
(full text, mbox, link).
Acknowledgement sent to Martin Zobel-Helas <zobel@ftbfs.de>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #22 received at 462793@bugs.debian.org (full text, mbox, reply):
Hi,
On Mon Jan 28, 2008 at 21:50:21 +0100, Nico Golde wrote:
> reassign 462793 jetty
> thanks
>
> Hi,
> * Martin Michlmayr <tbm@cyrius.com> [2008-01-28 15:05]:
> > * Nico Golde <nion@debian.org> [2008-01-27 16:25]:
> > > Source: jetty5
> >
> > There's no such package?
>
> Thanks for the hint. How did you notice it?
unkown-package@qa.d.o
look at merkel.
--
Martin Zobel-Helas <zobel@debian.org> | Debian Release Team Member
Debian & GNU/Linux Developer | Debian Listmaster
Public key http://zobel.ftbfs.de/5d64f870.asc - KeyID: 5D64 F870
GPG Fingerprint: 5DB3 1301 375A A50F 07E7 302F 493E FB8E 5D64 F870
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#462793; Package jetty.
(full text, mbox, link).
Acknowledgement sent to Greg Wilkins <gregw@mortbay.com>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #27 received at 462793@bugs.debian.org (full text, mbox, reply):
this bug should be closed.
the CERT never applied to jetty 5 (which is what debian uses)
and was fixed some time ago in jetty 6
Please see
http://docs.codehaus.org/display/JETTY/Jetty+Security
Note that it would also be good for debian to upgrade to jetty 6
cheers
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 05 Sep 2008 07:31:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:50:14 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon