Your message dated Mon, 07 Dec 2009 10:38:07 +0100
with message-id <[email protected]>
and subject line Re: Bug#559765: jetty: CVE-2007-6672 info disclosure
has caused the Debian Bug report #559765,
regarding jetty: CVE-2007-6672 info disclosure
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
559765: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559765
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: jetty
Version: 6.1.21-1
Severity: serious
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for jetty.
CVE-2007-6672[0]:
| Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass
| protection mechanisms and read the source of files via multiple '/'
| (slash) characters in the URI.
This may already be fixed. Some of the messages that are linked from
the mitre page indiced that supposedly this was to be fixed in 6.1.7,
but I was unable to track down patches to verify. Please check.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6672
http://security-tracker.debian.org/tracker/CVE-2007-6672
--- End Message ---
--- Begin Message ---
Michael Gilbert wrote:
> Package: jetty
> Version: 6.1.21-1
> Severity: serious
> Tags: security
>
> Hi,
>
> The following CVE (Common Vulnerabilities & Exposures) id was
> published for jetty.
>
> CVE-2007-6672[0]:
> | Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass
> | protection mechanisms and read the source of files via multiple '/'
> | (slash) characters in the URI.
>
> This may already be fixed. Some of the messages that are linked from
> the mitre page indiced that supposedly this was to be fixed in 6.1.7,
> but I was unable to track down patches to verify. Please check.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6672
> http://security-tracker.debian.org/tracker/CVE-2007-6672
>
>
>
> _______________________________________________
> pkg-java-maintainers mailing list
> [email protected]
> http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
>
Hi Michael
Thank you for your report.
I found the upstream bug report[1] where upstream say they have fixed it
in 6.1.7 (and provide a fix for earlier versions as well) - I saw no
reason to doubt this.
Nevertheless if you can reproduce the issue, please do not hesitate to
reopen the bug.
~Niels
[1]
http://jira.codehaus.org/browse/JETTY-386?focusedCommentId=117699&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_117699
<quote>
[...] Release 6.1.7 is now being created with this fix. [...]
</quote>
signature.asc
Description: OpenPGP digital signature
--- End Message ---
