Two remotely exploitable security vulnerabilities were discovered in Jetty 9, a Java based web server and servlet engine. The HTTP/2 protocol implementation did not sufficiently verify if HPACK header values exceed their size limit. Furthermore the HTTP/2 protocol allowed a denial of service (server resource consumption) because request cancellation can reset many streams quickly. This problem is also known as Rapid Reset Attack.
https://security-tracker.debian.org/tracker/DSA-5540-1
Continue reading...
https://security-tracker.debian.org/tracker/DSA-5540-1
Continue reading...