Your message dated Sun, 18 Jul 2021 18:03:46 +0000
with message-id <e1m5b8k-000gxm...@fasolo.debian.org>
and subject line Bug#991188: fixed in jetty9 9.4.39-3
has caused the Debian Bug report #991188,
regarding jetty9: CVE-2021-34429
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
991188: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991188
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: jetty9
Version: 9.4.39-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for jetty9.

CVE-2021-34429[0]:
| For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 &amp;
| 11.0.1-11.0.5, URIs can be crafted using some encoded characters to
| access the content of the WEB-INF directory and/or bypass some
| security constraints. This is a variation of the vulnerability
| reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-34429
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34429
[1] 
https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm

Please adjust the affected versions in the BTS as needed. Just from
the upstream versions it is considered to be a problem starting with
9.4.37, but I have *not* checked if we might have an earlier patch
introducing the issue, so please double check, but I suspect the only
version so far affected is the one in bullseye/sid.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: jetty9
Source-Version: 9.4.39-3
Done: Markus Koschany <a...@debian.org>

We believe that the bug you reported is fixed in the latest version of
jetty9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 991...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated jetty9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 18 Jul 2021 19:37:57 +0200
Source: jetty9
Architecture: source
Version: 9.4.39-3
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Closes: 991188
Changes:
 jetty9 (9.4.39-3) unstable; urgency=high
 .
   * Team upload.
   * Fix CVE-2021-34429:
     URIs can be crafted using some encoded characters to access the content of
     the WEB-INF directory and/or bypass some security constraints.
     Thanks to Salvatore Bonaccorso for the report. (Closes: #991188)
Checksums-Sha1:
 0332f0c810a736d96f21eebc90262e8dd0e9e8fe 2750 jetty9_9.4.39-3.dsc
 56da909b10bb1871f2fda5fae851308382d0db34 40860 jetty9_9.4.39-3.debian.tar.xz
 0466e64dae2866564fe6eb3fc0413226dc0e0def 17328 jetty9_9.4.39-3_amd64.buildinfo
Checksums-Sha256:
 5fbf79386b6b8928cf591e32b39b78d8758421dce5ffa6eb38a1adc02c72812e 2750 
jetty9_9.4.39-3.dsc
 cddf6acaf6be3e14a03e3327f45dfe7180c0d9d3652d2dd94dfa39b45e48ee1f 40860 
jetty9_9.4.39-3.debian.tar.xz
 7ff323625571640d86b00537e86421f6ac3846da8667188ba05d380fcd52e9a0 17328 
jetty9_9.4.39-3_amd64.buildinfo
Files:
 e20fd12bece3dc0c05ab715b16caf868 2750 java optional jetty9_9.4.39-3.dsc
 646772133b47a62a407b766d48e8d958 40860 java optional 
jetty9_9.4.39-3.debian.tar.xz
 f4e8d95d1dd2dd4049b974d76d92560d 17328 java optional 
jetty9_9.4.39-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmD0aLdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkd4cP/jmQfD1+uel+fRGo7JdFSylEjNjv7vbYXD/+
9cP/iNNuquZIPJnjUQhcpuqRwLxvlp8o4Aqvz//Idy3+RMg/zX4DICKBI3GDxbrk
CdpthAHArJaHGexEgTnnnOYHpFdmSOu7/QWnXGwJPt4pGwfRCdm+gDHrknCrdL0q
lH/4GNkssyYO0Moj34pLNLCBN4Va4tmgUSXhllqKNtVP0qlvSuqCpX0eXBpJtsLL
Qbz5fKkID2WfkxsVpaAL57Tmttgu5wTIhyuWkYcobylCPaJ3maxF5xRGvn0gebMA
Y1+MqsJMwfe1tYcl6u71qVnbgVafBsG8ED+i65Hdvn0TlkLQoBXs4Qh9NUeZbaas
tB3igf9GIEjeOW6Z1KVCkeUGCjeDaCI0G9nRdbNJSLDRiWF50iEz+BYzAm05nUXe
LDAHOIoNJ0n+ZqCa6xzIaL8SZPh8lub9NNaG7Dqzzp8HhJ0pLEmauTS0qquXyEhp
BzEzhZiiUcSUZfui9LfoH20QD2itx8UB9xnV1e+AZwvuftoI3ZM/EsGI36JEB2ub
ToFl1WLhJN99nrS2EDqD5oEGlg2zeT+aAv28X+T3a+CYv439djEmncFh351WnjjO
ZU2ri3ibwE+RREw124fKR7XxadMLzrSS3xfJjOfyFF6svGFe8kpDfuC1bGJ/rssf
c0wIvVhr
=G0PS
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to