Your message dated Sun, 28 Sep 2025 12:47:38 +0000
with message-id <[email protected]>
and subject line Bug#1111766: fixed in jetty9 9.4.57-1.1~deb12u1
has caused the Debian Bug report #1111766,
regarding jetty9: CVE-2025-5115
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111766: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111766
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jetty12
Version: 12.0.17-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/jetty/jetty.project/pull/13449
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:jetty9 9.4.57-1
Control: retitle -2 jetty9: CVE-2025-5115
Hi,
The following vulnerability was published for jetty.
CVE-2025-5115[0]:
| In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25,
| <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server
| to send RST_STREAM frames, for example by sending frames that are
| malformed or that should not be sent in a particular stream state,
| therefore forcing the server to consume resources such as CPU and
| memory. For example, a client can open a stream and then send
| WINDOW_UPDATE frames with window size increment of 0, which is
| illegal. Per specification https://www.rfc-
| editor.org/rfc/rfc9113.html#name-window_update , the server should
| send a RST_STREAM frame. The client can now open another stream and
| send another bad WINDOW_UPDATE, therefore causing the server to
| consume more resources than necessary, as this case does not exceed
| the max number of concurrent streams, yet the client is able to
| create an enormous amount of streams in a short period of time.
| The attack can be performed with other conditions (for example, a
| DATA frame for a closed stream) that cause the server to send a
| RST_STREAM frame. Links: *
| https://github.com/jetty/jetty.project/security/advisories/GHSA-
| mmxm-8w33-wc4h
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-5115
https://www.cve.org/CVERecord?id=CVE-2025-5115
[1] https://github.com/jetty/jetty.project/pull/13449
[2]
https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jetty9
Source-Version: 9.4.57-1.1~deb12u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jetty9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated jetty9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Sep 2025 16:19:54 +0300
Source: jetty9
Architecture: source
Version: 9.4.57-1.1~deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1111766
Changes:
jetty9 (9.4.57-1.1~deb12u1) bookworm-security; urgency=medium
.
* Non-maintainer upload.
* Rebuild for bookworm-security.
.
jetty9 (9.4.57-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-5115: MadeYouReset HTTP/2 vulnerability (Closes: #1111766)
Checksums-Sha1:
4cfd83e2ca1b6c8e899ae4fe35a7828a7f48509a 2693 jetty9_9.4.57-1.1~deb12u1.dsc
4ea2fe7f77fbdc49a9d39295b0943e7544b37a66 9913500 jetty9_9.4.57.orig.tar.xz
7dff5cf2260e27bb7a42007beb71b456c7072339 32428
jetty9_9.4.57-1.1~deb12u1.debian.tar.xz
Checksums-Sha256:
fff6809f9cf3e3ff0ee2fd4f0e53edbfef5e5f003ef675a816c91189df90b326 2693
jetty9_9.4.57-1.1~deb12u1.dsc
0b39eb1e68d54c95a199547ba3919335181d03ce4ee5ff00346d986b33d5992f 9913500
jetty9_9.4.57.orig.tar.xz
483c9ba8539e862b5912ce3d2dfe3efbfaa4fc149a3b2cd51022c9c368e85b72 32428
jetty9_9.4.57-1.1~deb12u1.debian.tar.xz
Files:
b425f67281b5e0b51394ed1ee2c4f1b1 2693 java optional
jetty9_9.4.57-1.1~deb12u1.dsc
53d9f283ec2bb7a11c16b0998f2f391e 9913500 java optional
jetty9_9.4.57.orig.tar.xz
8d9ff73c215175ba8a7fb259924e4f59 32428 java optional
jetty9_9.4.57-1.1~deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmjLjkAACgkQiNJCh6LY
mLHV6Q/9Hs1A4imvxwzBOKJWtZi+T3L/QveQsgE1FkZzKUUmej37qpE6jV8RtOO5
hafnLDgS+p6ziKSfkbh4GNYT3Tfn1rxKRHxHDwry5uEsPwk03AdexEgAFy4cZw3V
ldX0sw+CzoThz2wO/NswEJPhTZKdEU6yGbGrAyrmiAYbkuwnW+d+d/9FdsM5EJcB
iDSKvxFguvVt9wcjs4fIYBEYnTBXHsiHeLM6jKAYMz+l5f09JLJ2kW+7M4EzL7Yo
nrCOC/jSSGjn9dkj5FAjzmXJe/YmF5XMrBowZG3oPvwadRzraDRZFx1xq9+iK7RW
EaGae/fNvQQy0MRMi6cUHZ5maaMTTdpGpkmhQLGFsaU1AScAiHY7rE/hshSubz1x
zcaZsOTpSmSUVCfx88RE0OcZlgrzSIrnAUltKkhbHq/74CzzfBSy26T0GQY1spQe
m9jdEdXWnOW95msk4h+Rh7m3LtTqYflY7Rvt1e0eAKk0DQe2RKxVvinlSee/v4jd
iIiyr0Rx9m/ES5VxEfz2fqLQBrkom9WL+szaNpzmBA0bKcb/nF6aRHoAYubxSeAI
Qxhdqa5Z0rHrX9NitMMPamIeuTOeM87UTB6FxiZzk5SjlbcCIksLyhEWbxEZT7MH
MsZ6BQN0ztbA8y8jym5hCoi6w9wvToOhINLLIG63g/rjT5TC/MI=
=k6fp
-----END PGP SIGNATURE-----
pgphkfylb3qK_.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
