Debian Bug report logs - #462793
jetty5: CVE-2007-6672 unauthorized disclosure of information

Package: jetty; Maintainer for jetty is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>; Source for jetty is src:jetty.

Reported by: Nico Golde <nion@debian.org>

Date: Sun, 27 Jan 2008 15:27:01 UTC

Severity: grave

Tags: security

Done: "Damien Raude-Morvan" <drazzib@drazzib.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#462793; Package jetty5. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: jetty5: CVE-2007-6672 unauthorized disclosure of information
Date: Sun, 27 Jan 2008 16:25:35 +0100
[Message part 1 (text/plain, inline)]
Source: jetty5
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for jetty5.

CVE-2007-6672[0]:
| Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass
| protection mechanisms and read the source of files via multiple '/'
| (slash) characters in the URI.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6672

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#462793; Package jetty5. Full text and rfc822 format available.

Acknowledgement sent to Martin Michlmayr <tbm@cyrius.com>:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org. Full text and rfc822 format available.

Message #10 received at 462793@bugs.debian.org (full text, mbox):

From: Martin Michlmayr <tbm@cyrius.com>
To: Nico Golde <nion@debian.org>, 462793@bugs.debian.org
Subject: Re: Bug#462793: jetty5: CVE-2007-6672 unauthorized disclosure of information
Date: Mon, 28 Jan 2008 14:59:40 +1100
* Nico Golde <nion@debian.org> [2008-01-27 16:25]:
> Source: jetty5

There's no such package?
-- 
Martin Michlmayr
http://www.cyrius.com/




Information forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#462793; Package jetty5. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org. Full text and rfc822 format available.

Message #15 received at 462793@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 462793@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#462793: jetty5: CVE-2007-6672 unauthorized disclosure of information
Date: Mon, 28 Jan 2008 21:50:21 +0100
[Message part 1 (text/plain, inline)]
reassign 462793 jetty
thanks

Hi,
* Martin Michlmayr <tbm@cyrius.com> [2008-01-28 15:05]:
> * Nico Golde <nion@debian.org> [2008-01-27 16:25]:
> > Source: jetty5
> 
> There's no such package?

Thanks for the hint. How did you notice it?
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug reassigned from package `jetty5' to `jetty'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 28 Jan 2008 20:51:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#462793; Package jetty. Full text and rfc822 format available.

Acknowledgement sent to Martin Zobel-Helas <zobel@ftbfs.de>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #22 received at 462793@bugs.debian.org (full text, mbox):

From: Martin Zobel-Helas <zobel@ftbfs.de>
To: Nico Golde <nion@debian.org>, 462793@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#462793: jetty5: CVE-2007-6672 unauthorized disclosure of information
Date: Mon, 28 Jan 2008 22:09:08 +0100
Hi, 

On Mon Jan 28, 2008 at 21:50:21 +0100, Nico Golde wrote:
> reassign 462793 jetty
> thanks
> 
> Hi,
> * Martin Michlmayr <tbm@cyrius.com> [2008-01-28 15:05]:
> > * Nico Golde <nion@debian.org> [2008-01-27 16:25]:
> > > Source: jetty5
> > 
> > There's no such package?
> 
> Thanks for the hint. How did you notice it?

unkown-package@qa.d.o

look at merkel.


-- 
 Martin Zobel-Helas <zobel@debian.org>  |  Debian Release Team Member
 Debian & GNU/Linux Developer           |           Debian Listmaster
 Public key http://zobel.ftbfs.de/5d64f870.asc   -   KeyID: 5D64 F870
 GPG Fingerprint:  5DB3 1301 375A A50F 07E7  302F 493E FB8E 5D64 F870





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#462793; Package jetty. Full text and rfc822 format available.

Acknowledgement sent to Greg Wilkins <gregw@mortbay.com>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #27 received at 462793@bugs.debian.org (full text, mbox):

From: Greg Wilkins <gregw@mortbay.com>
To: 462793@bugs.debian.org
Subject: Bug 462793
Date: Fri, 04 Jul 2008 09:24:43 +1000
this bug should be closed.

the CERT never applied to jetty 5 (which is what debian uses)
and was fixed some time ago in jetty 6

Please see

   http://docs.codehaus.org/display/JETTY/Jetty+Security


Note that it would also be good for debian to upgrade to jetty 6

cheers




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 05 Sep 2008 07:31:43 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 02:07:51 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.