[SECURITY] [DLA 2688-1] jetty9 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2688-1] jetty9 security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Thu, 17 Jun 2021 20:46:57 +0200
Message-id: <[🔎] 20210617184657.GA21047@mail.beuc.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2688-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
June 17, 2021                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : jetty9
Version        : 9.2.30-0+deb9u2
CVE ID         : CVE-2021-28169

Steven Seeley discovered that in jetty, a Java servlet engine and
webserver, requests to the ConcatServlet and WelcomeFilter are able to
access protected resources within the WEB-INF directory. An attacker
may access sensitive information regarding the implementation of a web
application.

For Debian 9 stretch, this problem has been fixed in version
9.2.30-0+deb9u2.

We recommend that you upgrade your jetty9 packages.

For the detailed security status of jetty9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jetty9

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmDLmDYACgkQDTl9HeUl
XjC9lxAAta8AQTlorQDU9j8PsE/ptOBypDn3sPM0iDKLOwnBGRnZkDLmSjbnq8Dd
ODSXrndn/f/tFZa2lkE0yY3BjcG7NZFeij8dzHnIn7g4En9W9fxFHW5uaGR44ZHU
1rKz4hueQFRx3dZZifSMkvD2Dh+2X0oU9YYfFWZqGp53ExHdBgylBE45qmS8q66Z
2R3ATYUGvmKZeLFA3PJ+/9/e+wdq24dn4hl6OCvzpPz35Qud7MdwNgQfDT8OoiJj
GOnhPc7ftQxeu9QrTAtZxAKjiD1X7CT4rBF9vjzHhP6bBnxm7BFjnIdLipP8ryj0
Xe3ZtZC9t0DhclDmj5BYRsheigB2Wfsh0LFJYr9nLKgdM+53bCvALqCReCoWPLsJ
eYA0GQTpF8y4HLZ80G011tLeTPkwWY54DPXwPP9Obn9oM7SSyRXOihCOkogCoxB1
IrkM+L1W763IRGdcoBfSLGWisKExG4E9PJJTjZGLMI6RgG80ev+r9/BdEaT0a8NK
20XBmSXEG2WUr+b4cqglY//rXNpw7L0WGXkmV5y0hajnc1k0cHP6KVuBTvNrvoZX
Gah++hQt0vAU+U2r3g4ayIBwe9R8Wi2mYXo9YkUu/+P9cGrBEAf4L2cpNKTLU2gB
6VMXEp3txX65zAJr666lAOaYO4UsB0ohWZC7RlEfj4EFP2OM26g=
=i0es
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2687-1] prosody security update
Next by Date: [SECURITY] [DLA 2687-2] prosody regression update
Previous by thread: [SECURITY] [DLA 2687-1] prosody security update
Next by thread: [SECURITY] [DLA 2687-2] prosody regression update
Index(es):
- Date
- Thread