Your message dated Sat, 06 Apr 2024 11:20:05 +0000 with message-id <e1rt45d-001ug9...@fasolo.debian.org> and subject line Bug#1064923: fixed in jetty9 9.4.54-1 has caused the Debian Bug report #1064923, regarding jetty9: CVE-2024-22201 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1064923: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064923 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jetty9 Version: 9.4.53-1 Severity: important Tags: security upstream Forwarded: https://github.com/jetty/jetty.project/issues/11256 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for jetty9. CVE-2024-22201[0]: | Jetty is a Java based web server and servlet engine. An HTTP/2 SSL | connection that is established and TCP congested will be leaked when | it times out. An attacker can cause many connections to end up in | this state, and the server may run out of file descriptors, | eventually causing the server to stop accepting new connections from | valid clients. The vulnerability is patched in 9.4.54, 10.0.20, | 11.0.20, and 12.0.6. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22201 https://www.cve.org/CVERecord?id=CVE-2024-22201 [1] https://github.com/jetty/jetty.project/issues/11256 [2] https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: jetty9 Source-Version: 9.4.54-1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of jetty9, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1064...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated jetty9 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 06 Apr 2024 12:54:58 +0200 Source: jetty9 Architecture: source Version: 9.4.54-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1064923 Changes: jetty9 (9.4.54-1) unstable; urgency=high . * Team upload. * New upstream version 9.4.54. - Fix CVE-2024-22201: It was discovered that remote attackers may leave many HTTP/2 connections in ESTABLISHED state (not closed), TCP congested and idle. Eventually the server will stop accepting new connections from valid clients which can cause a denial of service. (Closes: #1064923) Thanks to Salvatore Bonaccorso for the report. Checksums-Sha1: 6f7ec9eca790dda15ebefa4cdef5ba1f5ec7cb70 2804 jetty9_9.4.54-1.dsc 0916554e9ad12ec48e0a141e07012e263bbe7c4f 9877252 jetty9_9.4.54.orig.tar.xz 646b89885eab28846d1430c9a442b6032eeb9f3f 30480 jetty9_9.4.54-1.debian.tar.xz 970f196a4279d640f1eb04705566e5ac1112dc3b 19404 jetty9_9.4.54-1_amd64.buildinfo Checksums-Sha256: 674811a262d25aa3534275d44b009341eb1e37aef7a379a50954923f226a1124 2804 jetty9_9.4.54-1.dsc 8fd58cfa055424cae97ce2dc7e2b5b717ff390e7aeecc72998c21a23bea9104c 9877252 jetty9_9.4.54.orig.tar.xz 351edbed121652049c6fc83d49738884fc258d5bf72b7fcb1922b3a291b17748 30480 jetty9_9.4.54-1.debian.tar.xz f07de135abafc7e3d1ccbfdeaa568e1f80c70464cf42bb46d0f1b65bff2ff6b2 19404 jetty9_9.4.54-1_amd64.buildinfo Files: 55703a729cce7be9fcb0e2d2c656b1c5 2804 java optional jetty9_9.4.54-1.dsc e98515258f92ec2b1aea4f0d71167069 9877252 java optional jetty9_9.4.54.orig.tar.xz 993e59e5b0225080b5381a18f2170bf6 30480 java optional jetty9_9.4.54-1.debian.tar.xz 38794c89605a432b735a57df50e7a7be 19404 java optional jetty9_9.4.54-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmYRLABfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkimUQALrTr2l/4/E0FLy1vQUwIKe5NV3LkKT3yhtc sDKrOKWaKb712hPhtX8uH6VNI1PJAMJsUODf6KsqVlGlBLn4TdI41a2hTsriNTBy gyesprqXDWNUd7Iyr/Cf6ivD6R1qzZg+lswCK4xB4v2krW/vRhlAhZT6XdpBRO1c idVhGNX6vja9idyiJfKMSEA/A6gEpUPxRTEvA3MR0Lo04dkSc0WY0MX5Cl7Y45Xv gbVQP2JTpPRzY9atNDEbro2fl9lDRgW7ygblpMyiAJKcYjynC43kU80ulpp/2OgU YYRWpra1DawotAg4SmWwtVtXxEJ/e53SpvWRp7pN7uRJkPy7HntgkOIIQGJ9FJae prN9ae0CHZn1QIsiLonKrdjgKEIqHBl0D3bQzR9yDPb81BwesXF/n7qzpM1iuFZj 2mGZ5/gj76HjmVg6pb6LZXjLF+t4wfRg8mr1xARMxk5RZdbmAyNN5XQ/0ZmbGpvu SaAvwJnjg4jUyE1/vXKX9ASX7DXjEpNq0RwHCcRXVTm9vInosKQUKnqSPNzKVE74 nPgY/KIKNe+E5t5LbcBqZ67ebI9LkQ5tOUNyVI4fLEFf3RgGdOMN4/cTgTF7tzmK zv3dIX5nLB5dEAVAXGz+Zo6P5Adw1Lz4xAuJQWr1zWB+kKZ6yhlitU5JnHINiOUM K+SeftRN =iteK -----END PGP SIGNATURE-----pgpV6Om1L_SUa.pgp
Description: PGP signature
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.