Your message dated Sat, 20 Sep 2025 19:17:10 +0000
with message-id <[email protected]>
and subject line Bug#1111766: fixed in jetty9 9.4.57-1.1~deb13u1
has caused the Debian Bug report #1111766,
regarding jetty9: CVE-2025-5115
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111766: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111766
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jetty12
Version: 12.0.17-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/jetty/jetty.project/pull/13449
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:jetty9 9.4.57-1
Control: retitle -2 jetty9: CVE-2025-5115
Hi,
The following vulnerability was published for jetty.
CVE-2025-5115[0]:
| In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25,
| <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server
| to send RST_STREAM frames, for example by sending frames that are
| malformed or that should not be sent in a particular stream state,
| therefore forcing the server to consume resources such as CPU and
| memory. For example, a client can open a stream and then send
| WINDOW_UPDATE frames with window size increment of 0, which is
| illegal. Per specification https://www.rfc-
| editor.org/rfc/rfc9113.html#name-window_update , the server should
| send a RST_STREAM frame. The client can now open another stream and
| send another bad WINDOW_UPDATE, therefore causing the server to
| consume more resources than necessary, as this case does not exceed
| the max number of concurrent streams, yet the client is able to
| create an enormous amount of streams in a short period of time.
| The attack can be performed with other conditions (for example, a
| DATA frame for a closed stream) that cause the server to send a
| RST_STREAM frame. Links: *
| https://github.com/jetty/jetty.project/security/advisories/GHSA-
| mmxm-8w33-wc4h
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-5115
https://www.cve.org/CVERecord?id=CVE-2025-5115
[1] https://github.com/jetty/jetty.project/pull/13449
[2]
https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jetty9
Source-Version: 9.4.57-1.1~deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jetty9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated jetty9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Sep 2025 15:25:59 +0300
Source: jetty9
Architecture: source
Version: 9.4.57-1.1~deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1111766
Changes:
jetty9 (9.4.57-1.1~deb13u1) trixie-security; urgency=medium
.
* Non-maintainer upload.
* Rebuild for trixie-security.
.
jetty9 (9.4.57-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-5115: MadeYouReset HTTP/2 vulnerability (Closes: #1111766)
Checksums-Sha1:
3e450eb7738df4bee9628751fc0ccb80dd77a2a3 2693 jetty9_9.4.57-1.1~deb13u1.dsc
16db04e4afb98e2a726507239f6649f96e0f1664 32436
jetty9_9.4.57-1.1~deb13u1.debian.tar.xz
Checksums-Sha256:
b275edb927048043535087c1dfc9592af5227ea75da97cf8a96b915bd4e8ae71 2693
jetty9_9.4.57-1.1~deb13u1.dsc
b9af1a1daed15b41a11546eaec0c10cc12862ef467fd90af3a48742103b07076 32436
jetty9_9.4.57-1.1~deb13u1.debian.tar.xz
Files:
428e22882dcff1749f1bc9c219d5d35a 2693 java optional
jetty9_9.4.57-1.1~deb13u1.dsc
e2f4011c10c7adeb4bbb47300ffd2b1a 32436 java optional
jetty9_9.4.57-1.1~deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmjLgi0ACgkQiNJCh6LY
mLG6LA/+PhHs1cIUA5N8yjHLTvtMtNWFAMNzny6vone0xM5x55260DjEDzHIExnM
46seypnA2fhJnf4DxP2yQb8K7LSL/27oH/hggQAWPb1aRjrKUjhc7m8gBFD8skNq
G1CVXIERR13bkmqqkWJtSyxfB0nibdo8xR6/Kss8Mt0NT1ydc22xwC6+usFPLvf7
IALRNmH156/PsZpZGW7eNKB0BDZOFMm0JkiygSqK0vuC4QcDNB65mBn4P+7taetP
zXaKjjvGCmSv5hSf/DbEyqBp1q7eFggMBBL4hvkmvwc6YTNd7FcCYM9VvVJsvzJ3
GzVngiWCU0bCnbNfgvJIJzpOy7vvSWn3SER7BXtWrlrP9HogvZ2G/9IXign6adH7
RCH0Xs2MbwXWYgamj56R3fRazzehus8i9W/7xWyNsHusnn2wZRkBbzAsUhmz4eBB
uA1d3GnCoA859rjT6Ou4HebiVOUsaD/KE89C6GY8okPe2Eqe3c/izUNCztp0mmin
PjdRqxWdLCfrlRRlyO2nxokDpG2qwUOjmz/J5lnY9qhePbVMaRTERZZeMr7rtbAI
CDtiO00+Sk1vB4AZvespUE3n3qFBHIRLd74+dYi+uYbRei2T4UNADewfAAh0QB6Y
kSBGs/O7HkgjDzoOHnBhsWXoVtdD47z+Q7j/fT3wBYrq16HCjCI=
=+9bi
-----END PGP SIGNATURE-----
pgp7A9hJn0R_V.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
