Hi, FYI, none of the jetty releases present in Debian are affected by CVE-2018-12538.
CVE-2018-12538 affects FileSessionDataStore and more specifically its function getFile(). This class was introduced in 9.4, this vulnerability thus affects 9.4.x releases only (and jetty package has version < 9.0, jetty9 has <= 9.2.24). FTR FileSessionDataStore was introduced in fa8232d3c81608c25d9e8c66cdfe8ab7a66c892b and the vulnerable code in 54a56314627f0a2c33ca67d813e3396f6bc03274. regards, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA