Control: tags -1 + moreinfo Hi,
On Sun, 2017-06-11 at 23:33 +0200, Emmanuel Bourg wrote: > This is a pre-upload request to unblock jetty9/9.2.22-1. This update fixes > a timing attack in a class checking passwords (no CVE ID has been assigned > yet) > and removes a broken symlink (#857217). > > Note that Jetty 9.2.x is in maintenance mode and receives only critical fixes > from upstream, that's why I'm suggesting to upload a new version (it mostly > consists in the security fix anyway). Sorry that this didn't get picked up before the release. >From your comment above, I assume the plan is to get a newer upstream version of Jetty into unstable soon? If so, then how we proceed with fixing this in stretch depends on whether the Security Team plan to handle it via a DSA; CCing them for an opinion. Regards, Adam