Candidate: CVE-2009-4611
PublicDate: 2010-01-13 20:30:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4611
 http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
Description:
 Mort Bay Jetty 6.x through 6.1.22 and 7.0.0 writes backtrace data without
 sanitizing non-printable characters, which might allow remote attackers to
 modify a window's title, or possibly execute arbitrary commands or
 overwrite files, via an HTTP request containing an escape sequence for a
 terminal emulator, related to (1) a string value in the Age parameter to
 the default URI for the Cookie Dump Servlet in
 test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2)
 an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an
 alphabetic value in the Content-Length HTTP header to an arbitrary
 application.
Ubuntu-Description:
Notes:
 jdstrand> if there is a problem, it is the terminal that has the issue
Bugs:
 http://jira.codehaus.org/browse/JETTY-1129
Priority: negligible
Discovered-by:
Assigned-to:
CVSS: 

Patches_jetty:
upstream_jetty: released (6.1.22)
dapper_jetty: ignored (reached end-of-life)
hardy_jetty: ignored (reached end-of-life)
intrepid_jetty: needed (reached end-of-life)
jaunty_jetty: ignored (reached end-of-life)
karmic_jetty: ignored (reached end-of-life)
lucid_jetty: not-affected (6.1.22-1ubuntu1)
maverick_jetty: not-affected (6.1.22-1ubuntu1)
natty_jetty: not-affected (6.1.22-1ubuntu1)
oneiric_jetty: not-affected (6.1.22-1ubuntu1)
devel_jetty: not-affected (6.1.22-1ubuntu1)