On Wed, Dec 05, 2007 at 11:45:41PM +0100, Steffen Joeris wrote: > Hi > > There have been two more CVEs[0][1] for jetty: > > CVE-2007-5613: > > Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty > before 6.1.6rc1 allows remote attackers to inject arbitrary web script or > HTML via unspecified parameters and cookies. > > > CVE-2007-5614: > > Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote > sequences" in HTML cookie parameters, which allows remote attackers to hijack > browser sessions via unspecified vectors.
I have spoken with upstream about these three issues and they are working on a solution for Jetty 5.1 for this. For Jetty 6 (which is not yet in Debian) the issue was easy to fix due to its design. Jetty 5.1 needs some major work. Cheers, Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
