CVE-2007-5615 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5615): CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
java herd, please advise.
CVE-2007-5614: Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors. CVE-2007-5613: Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies.
This package is presently unmaintained. I have briefly mentioned to nelcheal about us co-maintaining it. Since I maintain Tomcat, and he maintains Resin. Jetty is the other popular servlet container. So it's up our allies, but neither of us use it, or have a direct interest in it. Other than other ebuilds/projects using some Jetty stuff. Not sure what we will do on this. Likely p.mask or etc. Maybe remove entirely, but don't have anything to put in it's place. Last effort to update Jetty from source, was over 1.5 years ago by nichoj. So likely would have to start from almost scratch to get a current version packaged. Not likely to happen anytime soon.
Only two packages depend on jetty: virtual/httpd-basic-0 virtual/httpd-cgi-0 I'm for p.mask for now - on next Java team meeting we'll decide what to do with Jetty.
(In reply to comment #4) > Only two packages depend on jetty: > > virtual/httpd-basic-0 > virtual/httpd-cgi-0 > > I'm for p.mask for now - on next Java team meeting we'll decide what to do with > Jetty. > Update the pkg_postinst messages in mx4j-tools too.
thanks for taking care, please let us know once you decide. no maskglsa since this is ~arch only.
New vulnerability: http://secunia.com/advisories/28322/ Java, was there a decision what to do with jetty?
We are going to mask it and deal with any deps for now. Got a contributor slowly working on a packaging a current version. Hopefully one not effected by exploits. But that work hasn't even been committed to an overlay. I will try to get on this tomorrow. Don't have any time for it tonight.
CVE-2007-6672 was assigned to the latest issue.
Last-rited: http://article.gmane.org/gmane.linux.gentoo.devel.announce/83
Closing bug. Removed from tree, till we get a maintainer and current version from source.
