Version in base suite: 9.4.50-4+deb11u1 Base version: jetty9_9.4.50-4+deb11u1 Target version: jetty9_9.4.50-4+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/j/jetty9/jetty9_9.4.50-4+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/j/jetty9/jetty9_9.4.50-4+deb11u2.dsc changelog | 11 +++ patches/CVE-2024-22201.patch | 138 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 150 insertions(+) diff -Nru jetty9-9.4.50/debian/changelog jetty9-9.4.50/debian/changelog --- jetty9-9.4.50/debian/changelog 2023-10-29 15:12:42.000000000 +0000 +++ jetty9-9.4.50/debian/changelog 2024-04-07 20:24:31.000000000 +0000 @@ -1,3 +1,14 @@ +jetty9 (9.4.50-4+deb11u2) bullseye-security; urgency=high + + * Team upload. + * Fix CVE-2024-22201: + It was discovered that remote attackers may leave many HTTP/2 connections + in ESTABLISHED state (not closed), TCP congested and idle. Eventually the + server will stop accepting new connections from valid clients which can + cause a denial of service. + + -- Markus Koschany Sun, 07 Apr 2024 22:24:31 +0200 + jetty9 (9.4.50-4+deb11u1) bullseye-security; urgency=high * Team upload. diff -Nru jetty9-9.4.50/debian/patches/CVE-2024-22201.patch jetty9-9.4.50/debian/patches/CVE-2024-22201.patch --- jetty9-9.4.50/debian/patches/CVE-2024-22201.patch 1970-01-01 00:00:00.000000000 +0000 +++ jetty9-9.4.50/debian/patches/CVE-2024-22201.patch 2024-04-07 20:24:31.000000000 +0000 @@ -0,0 +1,138 @@ +From: Markus Koschany +Date: Wed, 20 Mar 2024 09:28:22 +0100 +Subject: CVE-2024-22201 + +Origin: https://github.com/jetty/jetty.project/commit/86586df0a8a4d9c6b5af9a621ad1adf1b494d39b +Bug-Debian: https://bugs.debian.org/1064923 +--- + .../jetty/http2/client/IdleTimeoutTest.java | 56 ++++++++++++++++++++++ + .../java/org/eclipse/jetty/http2/HTTP2Session.java | 14 +++++- + 2 files changed, 69 insertions(+), 1 deletion(-) + +diff --git a/jetty-http2/http2-client/src/test/java/org/eclipse/jetty/http2/client/IdleTimeoutTest.java b/jetty-http2/http2-client/src/test/java/org/eclipse/jetty/http2/client/IdleTimeoutTest.java +index 3871b32..5e65cbb 100644 +--- a/jetty-http2/http2-client/src/test/java/org/eclipse/jetty/http2/client/IdleTimeoutTest.java ++++ b/jetty-http2/http2-client/src/test/java/org/eclipse/jetty/http2/client/IdleTimeoutTest.java +@@ -19,7 +19,11 @@ + package org.eclipse.jetty.http2.client; + + import java.io.IOException; ++import java.net.InetSocketAddress; + import java.nio.ByteBuffer; ++import java.nio.channels.SelectionKey; ++import java.nio.channels.SocketChannel; ++import java.time.Duration; + import java.util.concurrent.CountDownLatch; + import java.util.concurrent.TimeUnit; + import java.util.concurrent.TimeoutException; +@@ -43,7 +47,10 @@ import org.eclipse.jetty.http2.frames.DataFrame; + import org.eclipse.jetty.http2.frames.GoAwayFrame; + import org.eclipse.jetty.http2.frames.HeadersFrame; + import org.eclipse.jetty.http2.frames.ResetFrame; ++import org.eclipse.jetty.http2.server.HTTP2CServerConnectionFactory; + import org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory; ++import org.eclipse.jetty.io.ManagedSelector; ++import org.eclipse.jetty.io.SocketChannelEndPoint; + import org.eclipse.jetty.server.HttpConfiguration; + import org.eclipse.jetty.server.Server; + import org.eclipse.jetty.server.ServerConnector; +@@ -57,7 +64,9 @@ import org.eclipse.jetty.util.thread.QueuedThreadPool; + import org.hamcrest.Matchers; + import org.junit.jupiter.api.Test; + ++import static org.awaitility.Awaitility.await; + import static org.hamcrest.MatcherAssert.assertThat; ++import static org.hamcrest.Matchers.is; + import static org.junit.jupiter.api.Assertions.assertEquals; + import static org.junit.jupiter.api.Assertions.assertFalse; + import static org.junit.jupiter.api.Assertions.assertTrue; +@@ -681,6 +690,53 @@ public class IdleTimeoutTest extends AbstractTest + assertThat(((ISession)client).updateSendWindow(0), Matchers.greaterThan(0)); + } + ++ @Test ++ public void testIdleTimeoutWhenCongested() throws Exception ++ { ++ long idleTimeout = 1000; ++ HTTP2CServerConnectionFactory h2c = new HTTP2CServerConnectionFactory(new HttpConfiguration()); ++ prepareServer(h2c); ++ server.removeConnector(connector); ++ connector = new ServerConnector(server, 1, 1, h2c) ++ { ++ @Override ++ protected SocketChannelEndPoint newEndPoint(SocketChannel channel, ManagedSelector selectSet, SelectionKey key) ++ { ++ SocketChannelEndPoint endpoint = new SocketChannelEndPoint(channel, selectSet, key, getScheduler()) ++ { ++ @Override ++ public boolean flush(ByteBuffer... buffers) ++ { ++ // Fake TCP congestion. ++ return false; ++ } ++ ++ @Override ++ protected void onIncompleteFlush() ++ { ++ // Do nothing here to avoid spin loop, ++ // since the network is actually writable, ++ // as we are only faking TCP congestion. ++ } ++ }; ++ endpoint.setIdleTimeout(getIdleTimeout()); ++ return endpoint; ++ } ++ }; ++ connector.setIdleTimeout(idleTimeout); ++ server.addConnector(connector); ++ server.start(); ++ ++ prepareClient(); ++ client.start(); ++ ++ InetSocketAddress address = new InetSocketAddress("localhost", connector.getLocalPort()); ++ // The connect() will complete exceptionally. ++ client.connect(address, new Session.Listener.Adapter(), new Promise.Completable<>()); ++ ++ await().atMost(Duration.ofMillis(5 * idleTimeout)).until(() -> connector.getConnectedEndPoints().size(), is(0)); ++ } ++ + private void sleep(long value) + { + try +diff --git a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/HTTP2Session.java b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/HTTP2Session.java +index a1c5ace..bfbc02b 100644 +--- a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/HTTP2Session.java ++++ b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/HTTP2Session.java +@@ -1824,6 +1824,7 @@ public abstract class HTTP2Session extends ContainerLifeCycle implements ISessio + { + String reason = "idle_timeout"; + boolean notify = false; ++ boolean terminate = false; + boolean sendGoAway = false; + GoAwayFrame goAwayFrame = null; + Throwable cause = null; +@@ -1867,11 +1868,22 @@ public abstract class HTTP2Session extends ContainerLifeCycle implements ISessio + { + if (LOG.isDebugEnabled()) + LOG.debug("Already closed, ignored idle timeout for {}", HTTP2Session.this); +- return false; ++ // Writes may be TCP congested, so termination never happened. ++ terminate = true; ++ goAwayFrame = goAwaySent; ++ if (goAwayFrame == null) ++ goAwayFrame = goAwayRecv; ++ break; + } + } + } + ++ if (terminate) ++ { ++ terminate(goAwayFrame); ++ return false; ++ } ++ + if (notify) + { + boolean confirmed = notifyIdleTimeout(HTTP2Session.this); diff -Nru jetty9-9.4.50/debian/patches/series jetty9-9.4.50/debian/patches/series --- jetty9-9.4.50/debian/patches/series 2023-10-29 15:12:42.000000000 +0000 +++ jetty9-9.4.50/debian/patches/series 2024-04-07 20:24:31.000000000 +0000 @@ -13,3 +13,4 @@ CVE-2023-36479.patch CVE-2023-44487.patch CVE-2023-36478.patch +CVE-2024-22201.patch