Bug#559765: jetty: CVE-2007-6672 info disclosure
michael.s.gilbert at gmail.com
Mon Dec 7 22:34:49 UTC 2009
On Mon, 7 Dec 2009 21:21:14 +0100, Torsten Werner wrote:
> tags 559765 + wontfix
> On Mon, Dec 7, 2009 at 5:10 PM, Michael Gilbert
> <michael.s.gilbert at gmail.com> wrote:
> > changelog notes are not sufficient justification to close a security
> > issue. the source needs to be checked against a patch, so please find a
> > way to track that down. the easiest way is probably to just ask
> > upstream. thanks.
> No, I think it is your duty as the bug reporter to prove that the
> package is still vulnerable.
because the consequences of security issues can be dire (although in
this case the problem is fairly minor), it is much better to err on the
side of caution when dealing with them. i can of course spend the time
to study this problem and try to reproduce it, but since there are
already claims that it is fixed, that seems like an unwise use of
time. it is much more straightforward to simply check that the
existing fix is applied. since you should have a relationship with
upstream, it should be relatively straightforward to get a response
from them. also, this package is your responsibility, so you can't
expect others to do your job for you.
if you think this request is overburdensome/unjustified, you can send an
email to security at debian.org. be aware that they expect this level of
thoroughness at a minimum.
More information about the pkg-java-maintainers