Your message dated Fri, 05 Oct 2007 06:02:04 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#445283: fixed in jetty 5.1.10-4 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: jetty Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for jetty. CVE-2006-6969[0]: | Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 | before 6.1.0pre3 generates predictable session identifiers using | java.util.random, which makes it easier for remote attackers to guess | a session identifier through brute force attacks, bypass | authentication requirements, and possibly conduct cross-site request | forgery attacks. If you fix this vulnerability please also include the CVE id in your changelog entry. This vulnerability has been verified in the Debian versions by the upstream. I am currently waiting to get a patch for this. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969 Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.pgp3QXlckfHLR.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: jetty Source-Version: 5.1.10-4 We believe that the bug you reported is fixed in the latest version of jetty, which is due to be installed in the Debian FTP archive: jetty-extra_5.1.10-4_all.deb to pool/contrib/j/jetty/jetty-extra_5.1.10-4_all.deb jetty_5.1.10-4.diff.gz to pool/contrib/j/jetty/jetty_5.1.10-4.diff.gz jetty_5.1.10-4.dsc to pool/contrib/j/jetty/jetty_5.1.10-4.dsc jetty_5.1.10-4_all.deb to pool/contrib/j/jetty/jetty_5.1.10-4_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Koch <[EMAIL PROTECTED]> (supplier of updated jetty package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Fri, 05 Oct 2007 07:34:55 +0200 Source: jetty Binary: jetty-extra jetty Architecture: source all Version: 5.1.10-4 Distribution: unstable Urgency: low Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Michael Koch <[EMAIL PROTECTED]> Description: jetty - Java servlet engine and webserver jetty-extra - Extensions to jetty Closes: 445283 Changes: jetty (5.1.10-4) unstable; urgency=low . * Added patch to fix CVE-2006-6969. Thanks to Greg Wilkins for the patch. Closes: #445283. * Updated debian/patches/jdk-1.2-src-encoding.patch to make it work with current ecj. Files: d8f0d95a6a2512856c5e1bd953f460d7 834 contrib/web optional jetty_5.1.10-4.dsc d4523bded143b1b1b279a786e99d356e 17540 contrib/web optional jetty_5.1.10-4.diff.gz 293dd10205be58ab88b9abeed7cc41e2 2085478 contrib/web optional jetty_5.1.10-4_all.deb 44906c4f66623272214d9ede0ea7a215 787728 contrib/web optional jetty-extra_5.1.10-4_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHBc7LWSOgCCdjSDsRAn9HAJ9lsyzTIQY5puTK13hd4o4TyGwyjACZAVLk klXyIv6ZmcdTJZ+LT7g2bl4= =JGSY -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers