Control: tags -1 - moreinfo Hi Adam,
On Sat, Jun 17, 2017 at 05:32:07PM +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > Hi, > > On Sun, 2017-06-11 at 23:33 +0200, Emmanuel Bourg wrote: > > This is a pre-upload request to unblock jetty9/9.2.22-1. This update fixes > > a timing attack in a class checking passwords (no CVE ID has been assigned > > yet) > > and removes a broken symlink (#857217). > > > > Note that Jetty 9.2.x is in maintenance mode and receives only critical > > fixes > > from upstream, that's why I'm suggesting to upload a new version (it mostly > > consists in the security fix anyway). > > Sorry that this didn't get picked up before the release. > > From your comment above, I assume the plan is to get a newer upstream > version of Jetty into unstable soon? If so, then how we proceed with > fixing this in stretch depends on whether the Security Team plan to > handle it via a DSA; CCing them for an opinion. Sorry for the delay. No we marked the issue as no-dsa, and the fix should preferably go in via a point release. The CVE is CVE-2017-9735. Regards, Salvatore
