Hi Sebastien You are right, CVE-2011-XXXX first found to affect jetty (jetty 6) could very well not be fixed in jetty 8 since jetty 8 was first released in 2009.
http://www.eclipse.org/jetty/documentation/current/what-jetty-version.html So to be on the safe side I checked the two CVEs from 2011. CVE-2011-4461 affects 8.1.0-RC2 and earlier (later version exists in jessie) and also marked as no-dsa (minor issue). CVE-2011-4404 marked as duplicate of another CVE from 2009 and that problem was solved in 2009. With this said, yes we could mark these also for jetty8 for completeness, but I do not see a big benefit. Best regards // Ola On 3 July 2018 at 16:58, Sébastien Delafond <s...@debian.org> wrote: > On 2018-07-03, Ola Lundqvist <o...@inguza.com> wrote: > > jetty8 appears first 2012. > > jetty9 appears first 2015. > > > > This means that CVE entries before 2012 are not relevant for jetty8 > > and before 2015 not relevant for jetty9. > > That's just wrong; for instance, a CVE-2011-XXXX first found to affect > jetty7 could very well not be fixed yet in jetty8. > > Cheers, > > --Seb > > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
