Package: jetty
Version: 5.1.10-2
Severity: grave
Tags: security
Some security issues have been found in jetty 6:
CVE-2006-2759:
jetty 6.0.x (jetty6) beta16 allows remote attackers to read
arbitrary script source code via a capital P in the .jsp extension,
and probably other mixed case manipulations.
CVE-2006-2758:
Directory traversal vulnerability in jetty 6.0.x (jetty6) beta16
allows remote attackers to read arbitrary files via a %2e%2e%5c
(encoded ../) in the URL.
A request to the maintainers to verify that they are not in present in
jetty 5 has not been answered. Jetty should not reenter testing until
these issues are checked.
PS: The changes file of 5.1.10-2 was quite broken, some of the bugs were
not marked as closed.
_______________________________________________
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
