Hi Sebastian With this reasoning we cannot assume that a later release include fixes for earlier releases for any package. Jetty seems to be actively and sanely maintained so I think the risk you point out is very low. But you are right, this could be the case for a badly maintained package.
Cheers // Ola On 5 July 2018 at 13:23, Sébastien Delafond <s...@debian.org> wrote: > On 2018-07-04, Ola Lundqvist <o...@inguza.com> wrote: > > You are right, CVE-2011-XXXX first found to affect jetty (jetty 6) > > could very well not be fixed in jetty 8 since jetty 8 was first > > released in 2009. > > Even if jetty 8 had been first released in 2018, you *still* could not > conclude anything simply because "2011 is before 2018". All your > statements about "CVE-YYYY-XXX can't affect foo because foo was released > after year YYYY" are just plain wrong. > > Cheers, > > --Seb > > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
