Bug#559765: marked as done (jetty: CVE-2007-6672 info disclosure)
Your message dated Sun, 24 Jan 2010 22:49:26 +0100 with message-id a90bfcf1001241349w32854527h5976c5aed...@mail.gmail.com and subject line Re: Bug#559765: jetty: CVE-2007-6672 info disclosure has caused the Debian Bug report #559765, regarding jetty: CVE-2007-6672 info disclosure to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 559765: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559765 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: jetty Version: 6.1.21-1 Severity: serious Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for jetty. CVE-2007-6672[0]: | Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass | protection mechanisms and read the source of files via multiple '/' | (slash) characters in the URI. This may already be fixed. Some of the messages that are linked from the mitre page indiced that supposedly this was to be fixed in 6.1.7, but I was unable to track down patches to verify. Please check. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6672 http://security-tracker.debian.org/tracker/CVE-2007-6672 ---End Message--- ---BeginMessage--- On Tue, Dec 8, 2009 at 5:02 PM, Michael Gilbert michael.s.gilb...@gmail.com wrote: this reference may be informative: http://lists.alioth.debian.org/pipermail/secure-testing-team/2009-May/002394.html svn changeset 2244 at http://svn.codehaus.org/jetty/jetty/branches/jetty-6.1/ has fixed this issue on 2007-12-21. Torsten ---End Message---
Bug#559765: marked as done (jetty: CVE-2007-6672 info disclosure)
Your message dated Mon, 07 Dec 2009 10:38:07 +0100 with message-id 4b1cccff.2070...@thykier.net and subject line Re: Bug#559765: jetty: CVE-2007-6672 info disclosure has caused the Debian Bug report #559765, regarding jetty: CVE-2007-6672 info disclosure to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 559765: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559765 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: jetty Version: 6.1.21-1 Severity: serious Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for jetty. CVE-2007-6672[0]: | Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass | protection mechanisms and read the source of files via multiple '/' | (slash) characters in the URI. This may already be fixed. Some of the messages that are linked from the mitre page indiced that supposedly this was to be fixed in 6.1.7, but I was unable to track down patches to verify. Please check. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6672 http://security-tracker.debian.org/tracker/CVE-2007-6672 ---End Message--- ---BeginMessage--- Michael Gilbert wrote: Package: jetty Version: 6.1.21-1 Severity: serious Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for jetty. CVE-2007-6672[0]: | Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass | protection mechanisms and read the source of files via multiple '/' | (slash) characters in the URI. This may already be fixed. Some of the messages that are linked from the mitre page indiced that supposedly this was to be fixed in 6.1.7, but I was unable to track down patches to verify. Please check. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6672 http://security-tracker.debian.org/tracker/CVE-2007-6672 ___ pkg-java-maintainers mailing list pkg-java-maintain...@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers Hi Michael Thank you for your report. I found the upstream bug report[1] where upstream say they have fixed it in 6.1.7 (and provide a fix for earlier versions as well) - I saw no reason to doubt this. Nevertheless if you can reproduce the issue, please do not hesitate to reopen the bug. ~Niels [1] http://jira.codehaus.org/browse/JETTY-386?focusedCommentId=117699page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_117699 quote [...] Release 6.1.7 is now being created with this fix. [...] /quote signature.asc Description: OpenPGP digital signature ---End Message---