Bug#559765: jetty: CVE-2007-6672 info disclosure

[Michael Gilbert]

On Tue, 08 Dec 2009 09:26:54 +0100, Torsten Werner wrote:
> Michael Gilbert schrieb:
> > it is much more straightforward to simply check that the
> > existing fix is applied. since you should have a relationship with
> > upstream, it should be relatively straightforward to get a response
> > from them.
> 
> Upstream states that the package is fixed in version 6.1.7 at 
> http://jira.codehaus.org/browse/JETTY-386#action_117699> and this page 
> is linked from 
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6672>. The 
> oldest version from the jetty6 code base we ever had in Debian is 6.1.18.

you've mentioned this before, and i had seen that before submitting the
bug.  if changelog entries were considered sufficient, i would have
had no reason to submit the bug in the first place.

> > also, this package is your responsibility, so you can't
> > expect others to do your job for you.
> 
> You have reported a bug that is more than 2.5 years old. How much 
> history should the maintainer check in your opinion before he ever 
> uploads to Debian? 2 years, 5 years, 10 years, 20 years...?

for security-related issues, yes, the entire lifetime of the program.

> > if you think this request is overburdensome/unjustified, you can send an
> > email to security at debian.org.  be aware that they expect this level of
> > thoroughness at a minimum.
> 
> I do accept bug reports with false positives from the security team when 
> time constraints do not allow proper checking because getting the 
> information fast is more important in such cases than verifying the 
> information. But that is a different story. You are reporting a bug that 
> has been fixed some years ago and you could have verified it yourself.

like i said, i did do the verification that you mentioned), but again
this is not sufficient.  triaging this issue has been a todo for the
security team for the past 2.5 years, and i am trying to close it off.
please help me out.  thank you.

mike