diff --git a/installer/resources/wrapper.config b/installer/resources/wrapper.config
index 3fbe0375e8f682301cfe738023c3392ff23158e5..380f94bc624c6e7512df63a889974db8aeaa842e 100644
--- a/installer/resources/wrapper.config
+++ b/installer/resources/wrapper.config
@@ -57,18 +57,23 @@ wrapper.java.library.path.2=$INSTALL_PATH/lib
 # Numbers must be consecutive (except for stripquotes)
 wrapper.java.additional.1=-DloggerFilenameOverride=logs/log-router-@.txt
 wrapper.java.additional.2=-Dorg.mortbay.http.Version.paranoid=true
-wrapper.java.additional.3=-Dorg.mortbay.util.FileResource.checkAliases=false
-wrapper.java.additional.4=-Dorg.mortbay.xml.XmlParser.NotValidating=true
-wrapper.java.additional.5=-Di2p.dir.base="$INSTALL_PATH"
-wrapper.java.additional.5.stripquotes=TRUE
+wrapper.java.additional.3=-Dorg.mortbay.xml.XmlParser.NotValidating=true
+wrapper.java.additional.4=-Di2p.dir.base="$INSTALL_PATH"
+wrapper.java.additional.4.stripquotes=TRUE
+# Jetty says this is a security risk
+# Uncommenting this won't help as the router forces it to true
+# If you really need this, you have to set it in jetty.xml
+# somehow - not sure exactly but here's a clue:
+# org.mortbay.util.FileResource.setCheckAliases(false)
+# wrapper.java.additional.5=-Dorg.mortbay.util.FileResource.checkAliases=false
 # PORTABLE installation:
 # uncomment the following
-#wrapper.java.additional.6=-Di2p.dir.pid="$INSTALL_PATH"
+#wrapper.java.additional.5=-Di2p.dir.pid="$INSTALL_PATH"
+#wrapper.java.additional.5.stripquotes=TRUE
+#wrapper.java.additional.6=-Di2p.dir.temp="$INSTALL_PATH"
 #wrapper.java.additional.6.stripquotes=TRUE
-#wrapper.java.additional.7=-Di2p.dir.temp="$INSTALL_PATH"
+#wrapper.java.additional.7=-Di2p.dir.config="$INSTALL_PATH"
 #wrapper.java.additional.7.stripquotes=TRUE
-#wrapper.java.additional.8=-Di2p.dir.config="$INSTALL_PATH"
-#wrapper.java.additional.8.stripquotes=TRUE
 #
 # Uncomment this for better performance.
 # If it doesn't work, server mode is not available in your JVM.
diff --git a/router/java/src/net/i2p/router/Router.java b/router/java/src/net/i2p/router/Router.java
index 77a73f65a7c3c6ab9abe41db20857fa4d4a3094c..b730d6d4a83967ff57ede5feb8f52216bf9b9b68 100644
--- a/router/java/src/net/i2p/router/Router.java
+++ b/router/java/src/net/i2p/router/Router.java
@@ -105,6 +105,12 @@ public class Router {
         System.setProperty("user.timezone", "GMT");
         // just in case, lets make it explicit...
         TimeZone.setDefault(TimeZone.getTimeZone("GMT"));
+        // https://www.kb.cert.org/vuls/id/402580
+        // http://docs.codehaus.org/display/JETTY/SystemProperties
+        // Fixed in Jetty 5.1.15 but we are running 5.1.12
+        // The default is true, unfortunately it was previously
+        // set to false in wrapper.config thru 0.7.10 so we must set it back here.
+        System.setProperty("Dorg.mortbay.util.FileResource.checkAliases", "true");
     }
     
     public Router() { this(null, null); }