Re: [SECURITY] [DLA 4106-1] jetty9 security update

To: Moritz Schlarb <moschlar@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 4106-1] jetty9 security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Thu, 10 Apr 2025 16:44:34 +0200
Message-id: <[🔎] 98ff4827-5b1a-46b2-b71c-1892ded5e2a3@beuc.net>
In-reply-to: <[🔎] e5b03f63ea054e747ad0ac9a67be0b4782043c5a.camel@debian.org>
References: <05271ac12746a8dc6d2244b126629a7d20293c47.camel@debian.org> <[🔎] e5b03f63ea054e747ad0ac9a67be0b4782043c5a.camel@debian.org>

Hello Moritz,

For the record, this should be fixed by DLA 4106-2:
https://lists.debian.org/debian-lts-announce/2025/04/msg00010.html

Also this wasn't caused by a compilation environment issue, but wasrelated to the full trixie->bullseye backport process :)

https://salsa.debian.org/java-team/jetty9/-/commit/d1998ccba3e516cd6ea3c59bbbb07aa0e70d403f

Cheers!
Sylvain Beucler
Debian LTS Team

On 03/04/2025 14:11, Moritz Schlarb wrote:

Dear Markus,

could it be the case that the upload of jetty9:amd64=9.4.57-0+deb11u1 has been
built on Bookworm instead of Bullseye?

$ apt install jetty9
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
  jetty9 : Depends: sysvinit-utils (>= 3.05-4~) but 2.96-7+deb11u1 is to be
installed

I had to revert the other two installed lib packages so that their versions
match again (workaround for others that experience this):

$ apt install libjetty9-java=9.4.50-4+deb11u2 libjetty9-extra-java=9.4.50-
4+deb11u2

Wasn't sure there and how to report this as a regression yet.

Regards,
Moritz

On Wed, 2025-04-02 at 00:02 +0200, Markus Koschany wrote:

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4106-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                     ; Markus Koschany
April 02, 2025                                https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : jetty9
Version        : 9.4.57-0+deb11u1
CVE ID         : CVE-2024-6762 CVE-2024-8184 CVE-2024-9823
Debian Bug     : 1085697

Jetty 9 is a Java based web server and servlet engine. Several security
vulnerabilities have been discovered which may allow remote attackers to
cause
a denial of service by repeatedly sending crafted requests which can trigger
OutofMemory errors and exhaust the server's memory.

CVE-2024-6762: In addition PushSessionCacheFilter and PushCacheFilter have
been
deprecated. These classes should no longer be used in a production
environment.

For Debian 11 bullseye, these problems have been fixed in version
9.4.57-0+deb11u1.

We recommend that you upgrade your jetty9 packages.

For the detailed security status of jetty9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jetty9

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Reply to:

References:
- Re: [SECURITY] [DLA 4106-1] jetty9 security update
  - From: Moritz Schlarb <moschlar@debian.org>

Prev by Date: Re: security-tracker git-blame for CVEs
Next by Date: Re: Help with WiFi NIC
Previous by thread: Re: [SECURITY] [DLA 4106-1] jetty9 security update
Next by thread: Re: Bug#1101047: RM: php-horde/5.2.23+debian0-6
Index(es):
- Date
- Thread