Debian 9.4.50-4: DSA-5507-1 Moderate: Jetty9 Cookie Parsing Flaw

Multiple security vulnerabilities were found in Jetty, a Java based web server
and servlet engine.

The org.eclipse.jetty.servlets.CGI class has been deprecated. It is potentially
unsafe to use it. The upstream developers of Jetty recommend to use Fast CGI
instead. See also CVE-2023-36479.

CVE-2023-26048

In affected versions servlets with multipart support (e.g. annotated with
`@MultipartConfig`) that call `HttpServletRequest.getParameter()` or
`HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the
client sends a multipart request with a part that has a name but no
filename and very large content. This happens even with the default
settings of `fileSizeThreshold=0` which should stream the whole part
content to disk.

CVE-2023-26049

Nonstandard cookie parsing in Jetty may allow an attacker to smuggle
cookies within other cookies, or otherwise perform unintended behavior by
tampering with the cookie parsing mechanism.

CVE-2023-40167

Prior to this...