Your message dated Tue, 01 Apr 2025 19:43:15 +0200
with message-id <[email protected]>
and subject line Re: jetty9: CVE-2024-6762
has caused the Debian Bug report #1085697,
regarding jetty9: CVE-2024-6762
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1085697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085697
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jetty9
X-Debbugs-CC: [email protected]
Severity: normal
Tags: security
Hi,
The following vulnerability was published for jetty9.
CVE-2024-6762[0]:
| Jetty PushSessionCacheFilter can be exploited by unauthenticated
| users to launch remote DoS attacks by exhausting the server’s
| memory.
https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79
The advisory mentions only 10.x and later to be affected, but
PushSessionCacheFilter seems also present in our jetty9 package.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-6762
https://www.cve.org/CVERecord?id=CVE-2024-6762
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Version: 9.4.54-1
This issue has been addressed in 9.4.54-1 by deprecating PushCacheFilter
and PushSessionCacheFilter. I believe the warning is sufficient and no
reverse-dependency is negatively affected by it.
https://github.com/jetty/jetty.project/pull/9716
https://github.com/jetty/jetty.project/pull/10756
signature.asc
Description: This is a digitally signed message part
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
