Bug#864631: unblock: jetty9/9.2.22-1

2017-08-15 Thread Salvatore Bonaccorso 
Control: tags -1 - moreinfo

Hi Adam,

On Sat, Jun 17, 2017 at 05:32:07PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> Hi,
> 
> On Sun, 2017-06-11 at 23:33 +0200, Emmanuel Bourg wrote:
> > This is a pre-upload request to unblock jetty9/9.2.22-1. This update fixes
> > a timing attack in a class checking passwords (no CVE ID has been assigned 
> > yet)
> > and removes a broken symlink (#857217).
> > 
> > Note that Jetty 9.2.x is in maintenance mode and receives only critical 
> > fixes
> > from upstream, that's why I'm suggesting to upload a new version (it mostly
> > consists in the security fix anyway).
> 
> Sorry that this didn't get picked up before the release.
> 
> From your comment above, I assume the plan is to get a newer upstream
> version of Jetty into unstable soon? If so, then how we proceed with
> fixing this in stretch depends on whether the Security Team plan to
> handle it via a DSA; CCing them for an opinion.

Sorry for the delay. No we marked the issue as no-dsa, and the fix
should preferably go in via a point release.

The CVE is CVE-2017-9735.

Regards,
Salvatore

Bug#864631: unblock: jetty9/9.2.22-1

2017-06-17 Thread Adam D. Barratt 
Control: tags -1 + moreinfo

Hi,

On Sun, 2017-06-11 at 23:33 +0200, Emmanuel Bourg wrote:
> This is a pre-upload request to unblock jetty9/9.2.22-1. This update fixes
> a timing attack in a class checking passwords (no CVE ID has been assigned 
> yet)
> and removes a broken symlink (#857217).
> 
> Note that Jetty 9.2.x is in maintenance mode and receives only critical fixes
> from upstream, that's why I'm suggesting to upload a new version (it mostly
> consists in the security fix anyway).

Sorry that this didn't get picked up before the release.

>From your comment above, I assume the plan is to get a newer upstream
version of Jetty into unstable soon? If so, then how we proceed with
fixing this in stretch depends on whether the Security Team plan to
handle it via a DSA; CCing them for an opinion.

Regards,

Adam

Bug#864631: unblock: jetty9/9.2.22-1

2017-06-11 Thread Emmanuel Bourg 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

This is a pre-upload request to unblock jetty9/9.2.22-1. This update fixes
a timing attack in a class checking passwords (no CVE ID has been assigned yet)
and removes a broken symlink (#857217).

Note that Jetty 9.2.x is in maintenance mode and receives only critical fixes
from upstream, that's why I'm suggesting to upload a new version (it mostly
consists in the security fix anyway).

Thank you,

Emmanuel Bourg
diff --git a/VERSION.txt b/VERSION.txt
index 5257d881..5ae8c45c 100644
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1,3 +1,10 @@
+jetty-9.2.22.v20170531 - 31 May 2017
+ + 920 no main manifest attribute, in jetty-runner-.jar
+ + 1108 Please improve logging in SslContextFactory when there are no approved
+   cipher suites
+ + 1523 Update ALPN support for Java 8u131
+ + 1556 A timing channel in Password.java
+
 jetty-9.2.21.v20170120 - 20 January 2017
  + 592 Support no-value Host header in HttpParser
  + 1229 ClassLoader constraint issue when using NativeWebSocketConfiguration
diff --git a/aggregates/jetty-all/pom.xml b/aggregates/jetty-all/pom.xml
index 2e21ad21..41b2f86c 100644
--- a/aggregates/jetty-all/pom.xml
+++ b/aggregates/jetty-all/pom.xml
@@ -2,7 +2,7 @@
   
 org.eclipse.jetty
 jetty-project
-9.2.21.v20170120
+9.2.22.v20170531
 ../../pom.xml
   
   4.0.0
diff --git a/apache-jsp/pom.xml b/apache-jsp/pom.xml
index 41c59d9c..b4114897 100644
--- a/apache-jsp/pom.xml
+++ b/apache-jsp/pom.xml
@@ -2,7 +2,7 @@
   
 org.eclipse.jetty
 jetty-project
-9.2.21.v20170120
+9.2.22.v20170531
   
   4.0.0
   apache-jsp
diff --git a/apache-jstl/pom.xml b/apache-jstl/pom.xml
index 0a4f3463..cc7566a9 100644
--- a/apache-jstl/pom.xml
+++ b/apache-jstl/pom.xml
@@ -2,7 +2,7 @@
   
 org.eclipse.jetty
 jetty-project
-9.2.21.v20170120
+9.2.22.v20170531
   
   4.0.0
   apache-jstl
diff --git a/debian/changelog b/debian/changelog
index 4470c642..46ffe734 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+jetty9 (9.2.22-1) unstable; urgency=medium
+
+  * Team upload.
+  * New upstream release
+  * No longer create a link to jetty-overlay-deployer (Closes: #857217)
+
+ -- Emmanuel Bourg   Sun, 11 Jun 2017 23:23:14 +0200
+
 jetty9 (9.2.21-1) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/jetty9.install b/debian/jetty9.install
index ae122cb4..58aa01b3 100644
--- a/debian/jetty9.install
+++ b/debian/jetty9.install
@@ -6,7 +6,6 @@ jetty-distribution/src/main/resources/etc/*  etc/jetty9
 jetty-jaas/src/main/config/etc/* etc/jetty9
 jetty-jmx/src/main/config/etc/*  etc/jetty9
 jetty-monitor/src/main/config/etc/*  etc/jetty9
-jetty-overlay-deployer/src/main/config/etc/* etc/jetty9
 jetty-plus/src/main/config/etc/* etc/jetty9
 jetty-proxy/src/main/config/etc/*etc/jetty9
 jetty-quickstart/src/main/config/etc/*   etc/jetty9
@@ -39,7 +38,6 @@ jetty-jaspi/src/main/config/modules/*.mod 
  usr/share/je
 jetty-jmx/src/main/config/modules/*.mod 
usr/share/jetty9/modules
 jetty-jndi/src/main/config/modules/*.mod
usr/share/jetty9/modules
 jetty-monitor/src/main/config/modules/*.mod 
usr/share/jetty9/modules
-jetty-overlay-deployer/src/main/config/modules/*.mod
usr/share/jetty9/modules
 jetty-plus/src/main/config/modules/*.mod
usr/share/jetty9/modules
 jetty-proxy/src/main/config/modules/*.mod   
usr/share/jetty9/modules
 jetty-quickstart/src/main/config/modules/*.mod  
usr/share/jetty9/modules
diff --git a/debian/jetty9.links b/debian/jetty9.links
index 0608047b..95e92111 100755
--- a/debian/jetty9.links
+++ b/debian/jetty9.links
@@ -25,7 +25,6 @@ usr/share/java/jetty9-jaspi.jar 
usr/share/jetty9/lib/jetty-jaspi
 usr/share/java/jetty9-jmx.jar   
usr/share/jetty9/lib/jetty-jmx-${VERSION}.jar
 usr/share/java/jetty9-jndi.jar  
usr/share/jetty9/lib/jetty-jndi-${VERSION}.jar
 usr/share/java/jetty9-monitor.jar   
usr/share/jetty9/lib/monitor/jetty-monitor-${VERSION}.jar
-usr/share/java/jetty9-overlay-deployer.jar  
usr/share/jetty9/lib/jetty-overlay-deployer-${VERSION}.jar
 usr/share/java/jetty9-plus.jar  
usr/share/jetty9/lib/jetty-plus-${VERSION}.jar
 usr/share/java/jetty9-proxy.jar 
usr/share/jetty9/lib/jetty-proxy-${VERSION}.jar
 usr/share/java/jetty9-quickstart.jar
usr/share/jetty9/lib/jetty-quickstart-${VERSION}.jar
diff --git a/debian/libjetty9-java.poms b/debian/libjetty9-java.poms
index 488baacf..8bff1950 100644
--- a/debian/libjetty9-java.poms
+++ b/debian/libjetty9-java.poms
@@ -38,7 +38,6 @@ jetty-http/pom.xml  
--java-lib --usj-name=jetty9
 jetty-io/po