Bug#454529: two more CVEs

Michael Koch konqueror at gmx.de
Wed Dec 19 13:34:15 UTC 2007


On Wed, Dec 05, 2007 at 11:45:41PM +0100, Steffen Joeris wrote:
> Hi
> 
> There have been two more CVEs[0][1] for jetty:
> 
> CVE-2007-5613:
> 
> Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty 
> before 6.1.6rc1 allows remote attackers to inject arbitrary web script or 
> HTML via unspecified parameters and cookies.
> 
> 
> CVE-2007-5614:
> 
> Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote 
> sequences" in HTML cookie parameters, which allows remote attackers to hijack 
> browser sessions via unspecified vectors.

I have spoken with upstream about these three issues and they are
working on a solution for Jetty 5.1 for this. For Jetty 6 (which is not
yet in Debian) the issue was easy to fix due to its design. Jetty 5.1
needs some major work.


Cheers,
Michael





More information about the pkg-java-maintainers mailing list