Your message dated Sun, 07 Sep 2025 06:42:06 +0000
with message-id <[email protected]>
and subject line Bug#1111766: fixed in jetty9 9.4.57-1.1
has caused the Debian Bug report #1111766,
regarding jetty9: CVE-2025-5115
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111766: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111766
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jetty12
Version: 12.0.17-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/jetty/jetty.project/pull/13449
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:jetty9 9.4.57-1
Control: retitle -2 jetty9: CVE-2025-5115
Hi,
The following vulnerability was published for jetty.
CVE-2025-5115[0]:
| In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25,
| <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server
| to send RST_STREAM frames, for example by sending frames that are
| malformed or that should not be sent in a particular stream state,
| therefore forcing the server to consume resources such as CPU and
| memory. For example, a client can open a stream and then send
| WINDOW_UPDATE frames with window size increment of 0, which is
| illegal. Per specification https://www.rfc-
| editor.org/rfc/rfc9113.html#name-window_update , the server should
| send a RST_STREAM frame. The client can now open another stream and
| send another bad WINDOW_UPDATE, therefore causing the server to
| consume more resources than necessary, as this case does not exceed
| the max number of concurrent streams, yet the client is able to
| create an enormous amount of streams in a short period of time.
| The attack can be performed with other conditions (for example, a
| DATA frame for a closed stream) that cause the server to send a
| RST_STREAM frame. Links: *
| https://github.com/jetty/jetty.project/security/advisories/GHSA-
| mmxm-8w33-wc4h
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-5115
https://www.cve.org/CVERecord?id=CVE-2025-5115
[1] https://github.com/jetty/jetty.project/pull/13449
[2]
https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jetty9
Source-Version: 9.4.57-1.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jetty9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated jetty9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Sep 2025 08:55:56 +0300
Source: jetty9
Architecture: source
Version: 9.4.57-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1111766
Changes:
jetty9 (9.4.57-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-5115: MadeYouReset HTTP/2 vulnerability (Closes: #1111766)
Checksums-Sha1:
448689396be32d18350be221bec01f87742c4613 2661 jetty9_9.4.57-1.1.dsc
8fe55c4b3652f4be87c107d0bd40f2c28ac565f3 32388 jetty9_9.4.57-1.1.debian.tar.xz
Checksums-Sha256:
d55a7065bc16eab42d64682e498444bae43cf925c5cdafbd87cd7070229f0b53 2661
jetty9_9.4.57-1.1.dsc
7c90553b36c420bb3b90a20c47228c74368f32063926aff89b1271b04e7ce3e1 32388
jetty9_9.4.57-1.1.debian.tar.xz
Files:
cd34da5e6f655fb11de791ec16fd88a0 2661 java optional jetty9_9.4.57-1.1.dsc
5455d029f071fe70a0e6216dcc1691e0 32388 java optional
jetty9_9.4.57-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmi6yxsACgkQiNJCh6LY
mLF+iBAAhcm0h2U4FIRHXyFSKm1AO25rbvX6uf60AaGXIk8DwUBOuKo+WFGXX3KN
itKYNqOS7Iffe47pELFWgfRmjowlJXRlpTRvlSiC9wrhY5lM9+B6Q5UhIm2DiMQd
w8MraLE/qG8/mu5YMncc8KbJFnNqNc3ucvJ6+JnhzlCMGvXhsK6fvfFi0VM+6Lnr
tGHewuadZ2+aCdibE3k2xEkqv10aiocfSMwXw/VwKvUUD1HjeFHn+wBg0u+SIZ/V
vSaBRIAOJ5HtNR/Kfwend9PxtEfs6FYZXjoKX/jJtsZMylQkSzXMJ6lCTEIQenQE
FiOO2cJ3AWIVZv/AakwWE3+admhyhP5Hqdg6MjIKlaWyHPlAzJHBc2M4mrNNh/sr
99A/taPjkPwhdSjpNswrOh4fGPEScrA0IqPybHrz7ySCgIyFo7+2lQtqcRkEcvvH
JStJUdcfMHUK9jrjW8mQJXiqIRwc2irV3STXz4bCTbKC8QJZrvwNUdvDdqPxDUwE
Hye7Rw5fFDILn9CaVYnSJK8hWXnVoFgpXC9NgzBzxaUZONBHwKBjCcj0jG9kgFOE
ZP4xurjsQZuF0E6TFPygZviysA/EmHUDetIHa4MyaZv4tEBkTM3T1f1fb/EYyK4+
SyTSaJXr9oQIEfqRcB2MZjq8Kb5gKAAJnXrqpCkcphcWOrOn7Hc=
=Ze+1
-----END PGP SIGNATURE-----
pgpqB8P3Jagto.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
