
I have compared the lists for jetty, jetty8 and jetty9.

jetty8 appears first 2012.
jetty9 appears first 2015.

This means that CVE entries before 2012 are not relevant for jetty8 and
before 2015 not relevant for jetty9.

When I look at the open issues for jetty they look identical, but the
resolved list is a little different.
jetty9 do not have CVE-2015-2080 marked as resolved. Should be checked to
see that this has not been missed.

The ones you mention are now listed for all of them and I think that is

But I do not see the difference you mention for jetty8 and jetty9 (just one
package diff).
The list is much longer for jetty, simply because it has been around for a
longer period, but I do not see the other difference.

Or am I looking in the wrong place when comparing them?
I'm comparing the following pages:

Best regards

// Ola

On 2 July 2018 at 17:50, Hugo Lefeuvre <h...@debian.org> wrote:

> Hi,
> I just noticed that jetty8 is almost never marked as affected by issues
> in jetty and jetty9. Is it intentional that jetty8 isn't listed whereas
> jetty and jetty9 are ?
> For example:
>  - CVE-2018-12538: there is no obvious reason why jetty8 wouldn't be
>    listed if jetty and jetty9 are.
>  - CVE-2018-12536: there is no way to tell jetty8 isn't affected without
>    doing some code analysis / at least trying to reproduce, and even so
>    it would be better to list jetty8 and mark it not-affected.
> ... and many others. The number of issues "affecting" jetty8 is a lot
> smaller than jetty/jetty9.
> Regards,
>  Hugo
> --
>              Hugo Lefeuvre (hle)    |    www.owl.eu.com
> 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA

 --- Inguza Technology AB --- MSc in Information Technology ----
/  o...@inguza.com                    Folkebogatan 26            \
|  o...@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply via email to