![]() |
|
Message-ID: <kqi2nuwafj3rm6e3xykryy5norff6q25qeoogw4ida32uveduo@t7loixt57w25> Date: Fri, 9 May 2025 12:36:56 +0300 From: Valtteri Vuorikoski <vuori@...com.org> To: oss-security@...ts.openwall.com Subject: CVE-2025-1948 & CVE-2024-13009: DoS and infoleak in Jetty The Jetty project [1] has announced two security issues classified as "high": a memory exhaustion issue with crafted HTTP/2 requests (12.x series, fixed in 12.0.17) as CVE-2025-1948, and a cross-request data corruption issue with potential information leakage when gzip compression is enabled (9.4.x, fixed in 9.4.57, security patch to an otherwise EoL release) as CVE-2024-13009. CVE-2025-1948 details: <https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8> CVE-2024-13009 details: <https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5> [1] Description from project README: "Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine. Jetty's goal is to support web protocols (HTTP/1, HTTP/2, HTTP/3, WebSocket, etc.) in a high volume low latency way that provides maximum performance while retaining the ease of use and compatibility with years of Servlet development."
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.