Your message dated Sat, 06 Apr 2024 11:20:05 +0000
with message-id <e1rt45d-001ug9...@fasolo.debian.org>
and subject line Bug#1064923: fixed in jetty9 9.4.54-1
has caused the Debian Bug report #1064923,
regarding jetty9: CVE-2024-22201
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1064923: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064923
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: jetty9
Version: 9.4.53-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/jetty/jetty.project/issues/11256
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for jetty9.
CVE-2024-22201[0]:
| Jetty is a Java based web server and servlet engine. An HTTP/2 SSL
| connection that is established and TCP congested will be leaked when
| it times out. An attacker can cause many connections to end up in
| this state, and the server may run out of file descriptors,
| eventually causing the server to stop accepting new connections from
| valid clients. The vulnerability is patched in 9.4.54, 10.0.20,
| 11.0.20, and 12.0.6.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-22201
https://www.cve.org/CVERecord?id=CVE-2024-22201
[1] https://github.com/jetty/jetty.project/issues/11256
[2]
https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jetty9
Source-Version: 9.4.54-1
Done: Markus Koschany <a...@debian.org>
We believe that the bug you reported is fixed in the latest version of
jetty9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1064...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated jetty9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Apr 2024 12:54:58 +0200
Source: jetty9
Architecture: source
Version: 9.4.54-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Closes: 1064923
Changes:
jetty9 (9.4.54-1) unstable; urgency=high
.
* Team upload.
* New upstream version 9.4.54.
- Fix CVE-2024-22201:
It was discovered that remote attackers may leave many HTTP/2 connections
in ESTABLISHED state (not closed), TCP congested and idle. Eventually the
server will stop accepting new connections from valid clients which can
cause a denial of service. (Closes: #1064923)
Thanks to Salvatore Bonaccorso for the report.
Checksums-Sha1:
6f7ec9eca790dda15ebefa4cdef5ba1f5ec7cb70 2804 jetty9_9.4.54-1.dsc
0916554e9ad12ec48e0a141e07012e263bbe7c4f 9877252 jetty9_9.4.54.orig.tar.xz
646b89885eab28846d1430c9a442b6032eeb9f3f 30480 jetty9_9.4.54-1.debian.tar.xz
970f196a4279d640f1eb04705566e5ac1112dc3b 19404 jetty9_9.4.54-1_amd64.buildinfo
Checksums-Sha256:
674811a262d25aa3534275d44b009341eb1e37aef7a379a50954923f226a1124 2804
jetty9_9.4.54-1.dsc
8fd58cfa055424cae97ce2dc7e2b5b717ff390e7aeecc72998c21a23bea9104c 9877252
jetty9_9.4.54.orig.tar.xz
351edbed121652049c6fc83d49738884fc258d5bf72b7fcb1922b3a291b17748 30480
jetty9_9.4.54-1.debian.tar.xz
f07de135abafc7e3d1ccbfdeaa568e1f80c70464cf42bb46d0f1b65bff2ff6b2 19404
jetty9_9.4.54-1_amd64.buildinfo
Files:
55703a729cce7be9fcb0e2d2c656b1c5 2804 java optional jetty9_9.4.54-1.dsc
e98515258f92ec2b1aea4f0d71167069 9877252 java optional
jetty9_9.4.54.orig.tar.xz
993e59e5b0225080b5381a18f2170bf6 30480 java optional
jetty9_9.4.54-1.debian.tar.xz
38794c89605a432b735a57df50e7a7be 19404 java optional
jetty9_9.4.54-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmYRLABfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkimUQALrTr2l/4/E0FLy1vQUwIKe5NV3LkKT3yhtc
sDKrOKWaKb712hPhtX8uH6VNI1PJAMJsUODf6KsqVlGlBLn4TdI41a2hTsriNTBy
gyesprqXDWNUd7Iyr/Cf6ivD6R1qzZg+lswCK4xB4v2krW/vRhlAhZT6XdpBRO1c
idVhGNX6vja9idyiJfKMSEA/A6gEpUPxRTEvA3MR0Lo04dkSc0WY0MX5Cl7Y45Xv
gbVQP2JTpPRzY9atNDEbro2fl9lDRgW7ygblpMyiAJKcYjynC43kU80ulpp/2OgU
YYRWpra1DawotAg4SmWwtVtXxEJ/e53SpvWRp7pN7uRJkPy7HntgkOIIQGJ9FJae
prN9ae0CHZn1QIsiLonKrdjgKEIqHBl0D3bQzR9yDPb81BwesXF/n7qzpM1iuFZj
2mGZ5/gj76HjmVg6pb6LZXjLF+t4wfRg8mr1xARMxk5RZdbmAyNN5XQ/0ZmbGpvu
SaAvwJnjg4jUyE1/vXKX9ASX7DXjEpNq0RwHCcRXVTm9vInosKQUKnqSPNzKVE74
nPgY/KIKNe+E5t5LbcBqZ67ebI9LkQ5tOUNyVI4fLEFf3RgGdOMN4/cTgTF7tzmK
zv3dIX5nLB5dEAVAXGz+Zo6P5Adw1Lz4xAuJQWr1zWB+kKZ6yhlitU5JnHINiOUM
K+SeftRN
=iteK
-----END PGP SIGNATURE-----
pgpV6Om1L_SUa.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.
