Bug#559765: jetty: CVE-2007-6672 info disclosure
Torsten Werner
twerner at debian.org
Tue Dec 8 08:26:54 UTC 2009
Michael Gilbert schrieb:
> it is much more straightforward to simply check that the
> existing fix is applied. since you should have a relationship with
> upstream, it should be relatively straightforward to get a response
> from them.
Upstream states that the package is fixed in version 6.1.7 at
http://jira.codehaus.org/browse/JETTY-386#action_117699> and this page
is linked from
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6672>. The
oldest version from the jetty6 code base we ever had in Debian is 6.1.18.
> also, this package is your responsibility, so you can't
> expect others to do your job for you.
You have reported a bug that is more than 2.5 years old. How much
history should the maintainer check in your opinion before he ever
uploads to Debian? 2 years, 5 years, 10 years, 20 years...?
> if you think this request is overburdensome/unjustified, you can send an
> email to security at debian.org. be aware that they expect this level of
> thoroughness at a minimum.
I do accept bug reports with false positives from the security team when
time constraints do not allow proper checking because getting the
information fast is more important in such cases than verifying the
information. But that is a different story. You are reporting a bug that
has been fixed some years ago and you could have verified it yourself.
Torsten
More information about the pkg-java-maintainers
mailing list