Source: jetty12 Version: 12.0.17-3 Severity: important Tags: security upstream Forwarded: https://github.com/jetty/jetty.project/pull/13449 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: clone -1 -2 Control: reassign -2 src:jetty9 9.4.57-1 Control: retitle -2 jetty9: CVE-2025-5115
Hi, The following vulnerability was published for jetty. CVE-2025-5115[0]: | In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, | <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server | to send RST_STREAM frames, for example by sending frames that are | malformed or that should not be sent in a particular stream state, | therefore forcing the server to consume resources such as CPU and | memory. For example, a client can open a stream and then send | WINDOW_UPDATE frames with window size increment of 0, which is | illegal. Per specification https://www.rfc- | editor.org/rfc/rfc9113.html#name-window_update , the server should | send a RST_STREAM frame. The client can now open another stream and | send another bad WINDOW_UPDATE, therefore causing the server to | consume more resources than necessary, as this case does not exceed | the max number of concurrent streams, yet the client is able to | create an enormous amount of streams in a short period of time. | The attack can be performed with other conditions (for example, a | DATA frame for a closed stream) that cause the server to send a | RST_STREAM frame. Links: * | https://github.com/jetty/jetty.project/security/advisories/GHSA- | mmxm-8w33-wc4h If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-5115 https://www.cve.org/CVERecord?id=CVE-2025-5115 [1] https://github.com/jetty/jetty.project/pull/13449 [2] https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h Please adjust the affected versions in the BTS as needed. Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
