Your message dated Sun, 07 Sep 2025 06:41:24 +0000
with message-id <[email protected]>
and subject line Bug#1111765: fixed in jetty12 12.0.17-3.1
has caused the Debian Bug report #1111765,
regarding jetty12: CVE-2025-5115
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111765: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111765
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jetty12
Version: 12.0.17-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/jetty/jetty.project/pull/13449
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:jetty9 9.4.57-1
Control: retitle -2 jetty9: CVE-2025-5115
Hi,
The following vulnerability was published for jetty.
CVE-2025-5115[0]:
| In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25,
| <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server
| to send RST_STREAM frames, for example by sending frames that are
| malformed or that should not be sent in a particular stream state,
| therefore forcing the server to consume resources such as CPU and
| memory. For example, a client can open a stream and then send
| WINDOW_UPDATE frames with window size increment of 0, which is
| illegal. Per specification https://www.rfc-
| editor.org/rfc/rfc9113.html#name-window_update , the server should
| send a RST_STREAM frame. The client can now open another stream and
| send another bad WINDOW_UPDATE, therefore causing the server to
| consume more resources than necessary, as this case does not exceed
| the max number of concurrent streams, yet the client is able to
| create an enormous amount of streams in a short period of time.
| The attack can be performed with other conditions (for example, a
| DATA frame for a closed stream) that cause the server to send a
| RST_STREAM frame. Links: *
| https://github.com/jetty/jetty.project/security/advisories/GHSA-
| mmxm-8w33-wc4h
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-5115
https://www.cve.org/CVERecord?id=CVE-2025-5115
[1] https://github.com/jetty/jetty.project/pull/13449
[2]
https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jetty12
Source-Version: 12.0.17-3.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jetty12, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated jetty12 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Sep 2025 09:34:36 +0300
Source: jetty12
Architecture: source
Version: 12.0.17-3.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1111765
Changes:
jetty12 (12.0.17-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-5115: MadeYouReset HTTP/2 vulnerability (Closes: #1111765)
Checksums-Sha1:
120d92e872f4d24c5dff9e5c53776791fe40a507 3128 jetty12_12.0.17-3.1.dsc
9937a15e8511f58aeb07f8c03fee3c17225caae4 30336
jetty12_12.0.17-3.1.debian.tar.xz
Checksums-Sha256:
a81740aa94740a36b9456ad5587686a37c9f3225a1fc51b7ce69826960a6c91a 3128
jetty12_12.0.17-3.1.dsc
2185e279ddb3214eca397e17ea47fbc5f4e052dfe2da6d8bbe91e750ba97cb3c 30336
jetty12_12.0.17-3.1.debian.tar.xz
Files:
45401d1c089ffdff01bf6aa405e84b4d 3128 java optional jetty12_12.0.17-3.1.dsc
1b89daa5784add201352707eb79053bc 30336 java optional
jetty12_12.0.17-3.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmi603UACgkQiNJCh6LY
mLGiTRAAsEjvFdoIsGMDgnBaSD+x2I/ZCJ4GlbsnTq7UKrGXwSVOj3G63pij1Cvt
ACmy/kH73MetQXe4PAUVSYS1Z0mejOCYSLwtjeUpvsREJIOb4JuBASd0HjqdGop/
nF2KK8r1oQDKb+6odBWD3yIEFTHwRkVCIev4C5G0Xs+TuSpOkDn8WYDPTgp8+jdd
wiRRA1jm6PU0JHEMjIJWumZnkeJXzEzKngz+g0LtWy8y8Hz7NU6IDnvpmHfDn2DH
wPFXxdgrE5xgN6Wq3zAhiRPdnHGZJI8mek66hcjcMSUBxZW0Ruj+VgLc2rOOe8+/
3jJH7fVRW3u+Eo/Tt8S8dlwlLOqcHLT+x3/+2pXM/sP4zMi+80GA1UBhVSjeD/uq
H0gFVB1nstC5ccOhggeEaK9fpZbGbuoiIWeDI53xzIq6lVeXLcmXLfG13xM5lfuG
SfW+slSSiMVfN6g/c2NGeyxymnjbWzwzjOTyPV0QVrJFg9NplCycaT/VnKYupCaY
xs6+upEuBlPW/GwD7OzCZLekvCR7auZT+zw78zqYZ2vl8JcGpNwJfL906XRgCVuq
ex6eqqw6VgZ6xLhVZI+4i67ZxpBFgCSpn6cp9jmsElb1k0xUPvWckfbWf/aqd9l3
ak3oFYB8CQHcIj32CsS3X00IdIbLkGZrE1bRdUGd86CSP3zJdq8=
=Na/l
-----END PGP SIGNATURE-----
pgpPNpP0OI2Wg.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
