Opened 3 years ago
Closed 3 years ago
#2061 closed defect (fixed)
I2P and default Jetty installation & Vulnerability time fixation
Reported by: | anonymous maybe | Owned by: | zzz |
---|---|---|---|
Priority: | minor | Milestone: | 0.9.33 |
Component: | apps/jetty | Version: | 0.9.31 |
Keywords: | Cc: | ||
Parent Tickets: | Sensitive: | no |
Description
hi there , as we know that i2p comes up with jetty by default but the problem there are vulnerabilities attacking Jetty which is might also cause I2P in troubles. for example this ticket:-
https://security-tracker.debian.org/tracker/CVE-2017-9735
it says that it has been fixed inside sid and buster but NOT stretch which the stable one.
so according to this situation what should I2P do for this ?
should we stick to eclips releases for debian stable or should we fix that by i2p itself through bringing Jetty 9.2.22-2 and update that by i2p repo ?
how about future thoughts regarding similar to this problem?
another vulnerability u can c it here and fix candidate time not yet applied:-
Subtickets
Change History (3)
comment:1 Changed 3 years ago by
Priority: | minor → major |
---|---|
Summary: | I2P and default Jetty installation → I2P and default Jetty installation & Vulnerability time fixation |
comment:2 Changed 3 years ago by
Milestone: | undecided → 0.9.33 |
---|---|
Owner: | set to zzz |
Priority: | major → minor |
Status: | new → accepted |
1) Please don't just find a CVE and panic. Please analyze the CVEs you reference and explain why they are important to I2P users:
2) It's not our job to fix issues in other distribution packages. If you are that concerned about it, either run sid or talk to the package maintainer.
3) In our standalone installer we currently bundle Jetty 9.2.21, with a fix that's in 9.2.22. We will probably update to 9.2.22 (or later if available) in our 0.9.33 release.
4) Jetty is a massive and fast-moving project, and every year or two they drop support for an older version, and the new version is incompatible, which causes us no end of misery. Even though we recently switched to 9.2.x, it looks like we'll soon have to move again to 9.4.x. We can't possibly keep up, we will always be behind the latest Jetty release.
Leaving open as a task to update to 9.2.22 for 0.9.33 (and remove our patch), for non-package installs only.