Your message dated Sat, 20 Sep 2025 19:17:09 +0000
with message-id <[email protected]>
and subject line Bug#1111765: fixed in jetty12 12.0.17-3.1~deb13u1
has caused the Debian Bug report #1111765,
regarding jetty12: CVE-2025-5115
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111765: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111765
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jetty12
Version: 12.0.17-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/jetty/jetty.project/pull/13449
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:jetty9 9.4.57-1
Control: retitle -2 jetty9: CVE-2025-5115
Hi,
The following vulnerability was published for jetty.
CVE-2025-5115[0]:
| In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25,
| <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server
| to send RST_STREAM frames, for example by sending frames that are
| malformed or that should not be sent in a particular stream state,
| therefore forcing the server to consume resources such as CPU and
| memory. For example, a client can open a stream and then send
| WINDOW_UPDATE frames with window size increment of 0, which is
| illegal. Per specification https://www.rfc-
| editor.org/rfc/rfc9113.html#name-window_update , the server should
| send a RST_STREAM frame. The client can now open another stream and
| send another bad WINDOW_UPDATE, therefore causing the server to
| consume more resources than necessary, as this case does not exceed
| the max number of concurrent streams, yet the client is able to
| create an enormous amount of streams in a short period of time.
| The attack can be performed with other conditions (for example, a
| DATA frame for a closed stream) that cause the server to send a
| RST_STREAM frame. Links: *
| https://github.com/jetty/jetty.project/security/advisories/GHSA-
| mmxm-8w33-wc4h
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-5115
https://www.cve.org/CVERecord?id=CVE-2025-5115
[1] https://github.com/jetty/jetty.project/pull/13449
[2]
https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jetty12
Source-Version: 12.0.17-3.1~deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jetty12, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated jetty12 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Sep 2025 15:39:59 +0300
Source: jetty12
Architecture: source
Version: 12.0.17-3.1~deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1111765
Changes:
jetty12 (12.0.17-3.1~deb13u1) trixie-security; urgency=medium
.
* Non-maintainer upload.
* Rebuild for trixie-security.
.
jetty12 (12.0.17-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-5115: MadeYouReset HTTP/2 vulnerability (Closes: #1111765)
Checksums-Sha1:
3523a6bb71dd36d04cf6759d140bf2fd102da3e9 3160 jetty12_12.0.17-3.1~deb13u1.dsc
cc183210ff6c6166a1fb2903f502b4f1d0f458f6 16384452 jetty12_12.0.17.orig.tar.xz
e14d3bc1b09195c7e1d1bd686bac31bf3d63b951 30372
jetty12_12.0.17-3.1~deb13u1.debian.tar.xz
Checksums-Sha256:
f7b2d350fbc0c5e3e5e9bf08e5fa66cb9988303d5e745363e1145db99f95377f 3160
jetty12_12.0.17-3.1~deb13u1.dsc
a391f45c6e3b6deee85d2bd1032549bdc34b16ea50800c5e6687b3d2392c0510 16384452
jetty12_12.0.17.orig.tar.xz
f9c8e1ba8fef8abc6cd6c18124e6c3a5c945fcc8b7d383ffe730fcdf86d9c8df 30372
jetty12_12.0.17-3.1~deb13u1.debian.tar.xz
Files:
998758a21f0c90741c3960217facfb55 3160 java optional
jetty12_12.0.17-3.1~deb13u1.dsc
962ceaf33f0523c958f9197fb7e15cf9 16384452 java optional
jetty12_12.0.17.orig.tar.xz
17420b74a299538b36b34a53399ae090 30372 java optional
jetty12_12.0.17-3.1~deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmjLjFAACgkQiNJCh6LY
mLF8Sw/8DRlkjSJ2FGwVu9vgF3l2RMNFYktKUmv+nAVfcUV4xGG+2iPtdJN09T8K
nDUsur2WSnfJFjQNv+ui4ClwDA0tPTgFzpHSA6IdwlQlXvV7jwmm2MHcab/ZzB4G
Cf7zpnWzdZdHy4IQ2s59NvsFbR+lHmU7KXrsppl7CETnUrVywUoxPdibhk273D72
sKNblRnK68eVIVtAYHK0EGdIcSgj1/7MFoz8FZZLBL0BxsBfy3Vj4Q7YxbrfgRYd
FFDw2h5PlL/uHpsC+gARaWwmXTx0R1i5i9yYWChurQty+Au63XHWyZ+74r24kuCQ
z5Nk+TraMHw3mZketPNSg2tPBw0b5ombzRgxkhO+Rrt9MWbij9KmuAJx9XjTCYjk
p5pxb+qdk64x7hAyU398sSgdhdA39JU8RDY0Mhr/IgEdhmlpU91YdmOjapoYdmA+
KvW/WwqB2NozQnRcQGOogpPMkU1uhR7GQs7yXvJyx7HSHRQEuvZlcRW6xxPAGLcT
6myLz2pjTE2eeznwTQ5515IsaYqrZ6H6Vx18CQasMwPMCms6vT512vKLJw2nUeaw
AiptcPTucmDZ3LzYqZG1vWxfgccCrut4ITMCsy/3n8/7Mo0zQPfuZPLq3H4A+hHl
w//QU5zXms452+kqhModrEGiI95M7xOhxeESNKEzXQnw/FzFgRw=
=YGc2
-----END PGP SIGNATURE-----
pgpH_SuSaIVAr.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
