[Git][security-tracker-team/security-tracker][master] CVE-2024-6763,jetty9: mark bookworm and bullseye as ignored

Tue, 01 Apr 2025 11:03:26 -0700 


Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c3862ef0 by Markus Koschany at 2025-04-01T20:02:58+02:00
CVE-2024-6763,jetty9: mark bookworm and bullseye as ignored

According to upstream jetty9 server and client are not affected or more
specifically, quote:

"Jetty 9 doesn't even have a UriCompliance, nor is it RFC9110. This PR in Jetty
9 makes no sense. We cannot force RFC9110 on Jetty 9 users, and the Jetty 9
users have no means to configure this UriCompliance rule it once it is
implemented."

This is more of an issue how browsers and jetty use different conventions to
parse a URI. The solution for jetty12 is to deprecate a part of a newer
specification which jetty9 does not even use.

This can't be properly addressed in Jetty 9.

https://github.com/jetty/jetty.project/pull/12012#issuecomment-2416450253

and followups.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -53665,6 +53665,8 @@ CVE-2024-7847 (VULNERABILITY DETAILS  Rockwell 
Automation used the latest versio
        NOT-FOR-US: Rockwell Automation
 CVE-2024-6763 (Eclipse Jetty is a lightweight, highly scalable, Java-based web 
server ...)
        - jetty9 <unfixed> (bug #1085698)
+       [bookworm] - jetty9 <ignored> (Minor issue)
+       [bullseye] - jetty9 <ignored> (Minor issue)
        - jetty <removed>
        NOTE: 
https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh
        NOTE: https://github.com/jetty/jetty.project/pull/12012



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3862ef0825ea46b0a9f38f18ff8d3c36c48de11

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3862ef0825ea46b0a9f38f18ff8d3c36c48de11
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to