Michael Gilbert schrieb:
it is much more straightforward to simply check that the existing fix is applied. since you should have a relationship with upstream, it should be relatively straightforward to get a response from them.
Upstream states that the package is fixed in version 6.1.7 at http://jira.codehaus.org/browse/JETTY-386#action_117699> and this page is linked from <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6672>. The oldest version from the jetty6 code base we ever had in Debian is 6.1.18.
also, this package is your responsibility, so you can't expect others to do your job for you.
You have reported a bug that is more than 2.5 years old. How much history should the maintainer check in your opinion before he ever uploads to Debian? 2 years, 5 years, 10 years, 20 years...?
if you think this request is overburdensome/unjustified, you can send an email to secur...@debian.org. be aware that they expect this level of thoroughness at a minimum.
I do accept bug reports with false positives from the security team when time constraints do not allow proper checking because getting the information fast is more important in such cases than verifying the information. But that is a different story. You are reporting a bug that has been fixed some years ago and you could have verified it yourself.
Torsten -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
