Your message dated Sun, 18 Jul 2021 18:03:46 +0000 with message-id <e1m5b8k-000gxm...@fasolo.debian.org> and subject line Bug#991188: fixed in jetty9 9.4.39-3 has caused the Debian Bug report #991188, regarding jetty9: CVE-2021-34429 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 991188: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991188 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jetty9 Version: 9.4.39-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for jetty9. CVE-2021-34429[0]: | For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & | 11.0.1-11.0.5, URIs can be crafted using some encoded characters to | access the content of the WEB-INF directory and/or bypass some | security constraints. This is a variation of the vulnerability | reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-34429 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34429 [1] https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm Please adjust the affected versions in the BTS as needed. Just from the upstream versions it is considered to be a problem starting with 9.4.37, but I have *not* checked if we might have an earlier patch introducing the issue, so please double check, but I suspect the only version so far affected is the one in bullseye/sid. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: jetty9 Source-Version: 9.4.39-3 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of jetty9, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 991...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated jetty9 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 18 Jul 2021 19:37:57 +0200 Source: jetty9 Architecture: source Version: 9.4.39-3 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 991188 Changes: jetty9 (9.4.39-3) unstable; urgency=high . * Team upload. * Fix CVE-2021-34429: URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. Thanks to Salvatore Bonaccorso for the report. (Closes: #991188) Checksums-Sha1: 0332f0c810a736d96f21eebc90262e8dd0e9e8fe 2750 jetty9_9.4.39-3.dsc 56da909b10bb1871f2fda5fae851308382d0db34 40860 jetty9_9.4.39-3.debian.tar.xz 0466e64dae2866564fe6eb3fc0413226dc0e0def 17328 jetty9_9.4.39-3_amd64.buildinfo Checksums-Sha256: 5fbf79386b6b8928cf591e32b39b78d8758421dce5ffa6eb38a1adc02c72812e 2750 jetty9_9.4.39-3.dsc cddf6acaf6be3e14a03e3327f45dfe7180c0d9d3652d2dd94dfa39b45e48ee1f 40860 jetty9_9.4.39-3.debian.tar.xz 7ff323625571640d86b00537e86421f6ac3846da8667188ba05d380fcd52e9a0 17328 jetty9_9.4.39-3_amd64.buildinfo Files: e20fd12bece3dc0c05ab715b16caf868 2750 java optional jetty9_9.4.39-3.dsc 646772133b47a62a407b766d48e8d958 40860 java optional jetty9_9.4.39-3.debian.tar.xz f4e8d95d1dd2dd4049b974d76d92560d 17328 java optional jetty9_9.4.39-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmD0aLdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hkd4cP/jmQfD1+uel+fRGo7JdFSylEjNjv7vbYXD/+ 9cP/iNNuquZIPJnjUQhcpuqRwLxvlp8o4Aqvz//Idy3+RMg/zX4DICKBI3GDxbrk CdpthAHArJaHGexEgTnnnOYHpFdmSOu7/QWnXGwJPt4pGwfRCdm+gDHrknCrdL0q lH/4GNkssyYO0Moj34pLNLCBN4Va4tmgUSXhllqKNtVP0qlvSuqCpX0eXBpJtsLL Qbz5fKkID2WfkxsVpaAL57Tmttgu5wTIhyuWkYcobylCPaJ3maxF5xRGvn0gebMA Y1+MqsJMwfe1tYcl6u71qVnbgVafBsG8ED+i65Hdvn0TlkLQoBXs4Qh9NUeZbaas tB3igf9GIEjeOW6Z1KVCkeUGCjeDaCI0G9nRdbNJSLDRiWF50iEz+BYzAm05nUXe LDAHOIoNJ0n+ZqCa6xzIaL8SZPh8lub9NNaG7Dqzzp8HhJ0pLEmauTS0qquXyEhp BzEzhZiiUcSUZfui9LfoH20QD2itx8UB9xnV1e+AZwvuftoI3ZM/EsGI36JEB2ub ToFl1WLhJN99nrS2EDqD5oEGlg2zeT+aAv28X+T3a+CYv439djEmncFh351WnjjO ZU2ri3ibwE+RREw124fKR7XxadMLzrSS3xfJjOfyFF6svGFe8kpDfuC1bGJ/rssf c0wIvVhr =G0PS -----END PGP SIGNATURE-----
--- End Message ---
