Dear Markus, could it be the case that the upload of jetty9:amd64=9.4.57-0+deb11u1 has been built on Bookworm instead of Bullseye?
$ apt install jetty9 Reading package lists... Done Building dependency tree... Done Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: jetty9 : Depends: sysvinit-utils (>= 3.05-4~) but 2.96-7+deb11u1 is to be installed I had to revert the other two installed lib packages so that their versions match again (workaround for others that experience this): $ apt install libjetty9-java=9.4.50-4+deb11u2 libjetty9-extra-java=9.4.50- 4+deb11u2 Wasn't sure there and how to report this as a regression yet. Regards, Moritz On Wed, 2025-04-02 at 00:02 +0200, Markus Koschany wrote: > ------------------------------------------------------------------------- > Debian LTS Advisory DLA-4106-1 debian-lts@lists.debian.org > https://www.debian.org/lts/security/ Markus Koschany > April 02, 2025 https://wiki.debian.org/LTS > ------------------------------------------------------------------------- > > Package : jetty9 > Version : 9.4.57-0+deb11u1 > CVE ID : CVE-2024-6762 CVE-2024-8184 CVE-2024-9823 > Debian Bug : 1085697 > > Jetty 9 is a Java based web server and servlet engine. Several security > vulnerabilities have been discovered which may allow remote attackers to > cause > a denial of service by repeatedly sending crafted requests which can trigger > OutofMemory errors and exhaust the server's memory. > > CVE-2024-6762: In addition PushSessionCacheFilter and PushCacheFilter have > been > deprecated. These classes should no longer be used in a production > environment. > > For Debian 11 bullseye, these problems have been fixed in version > 9.4.57-0+deb11u1. > > We recommend that you upgrade your jetty9 packages. > > For the detailed security status of jetty9 please refer to > its security tracker page at: > https://security-tracker.debian.org/tracker/jetty9 > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS
