diff --git a/0008-Fix-CVE-2025-5115.patch b/0008-Fix-CVE-2025-5115.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1e2d97a1ac4f11181e54175041123b6c5e1f5fd0
--- /dev/null
+++ b/0008-Fix-CVE-2025-5115.patch
@@ -0,0 +1,216 @@
+diff --git a/jetty-http2/http2-client/src/test/java/org/eclipse/jetty/http2/client/SmallThreadPoolLoadTest.java b/jetty-http2/http2-client/src/test/java/org/eclipse/jetty/http2/client/SmallThreadPoolLoadTest.java
+index f365155..b21feb5 100644
+--- a/jetty-http2/http2-client/src/test/java/org/eclipse/jetty/http2/client/SmallThreadPoolLoadTest.java
++++ b/jetty-http2/http2-client/src/test/java/org/eclipse/jetty/http2/client/SmallThreadPoolLoadTest.java
+@@ -40,6 +40,7 @@ import org.eclipse.jetty.http2.api.Stream;
+ import org.eclipse.jetty.http2.frames.DataFrame;
+ import org.eclipse.jetty.http2.frames.HeadersFrame;
+ import org.eclipse.jetty.http2.frames.ResetFrame;
++import org.eclipse.jetty.http2.parser.RateControl;
+ import org.eclipse.jetty.http2.server.AbstractHTTP2ServerConnectionFactory;
+ import org.eclipse.jetty.servlet.ServletContextHandler;
+ import org.eclipse.jetty.util.ByteArrayOutputStream2;
+@@ -79,6 +80,8 @@ public class SmallThreadPoolLoadTest extends AbstractTest
+ public void testConcurrentWithSmallServerThreadPool() throws Exception
+ {
+ start(new LoadServlet());
++ AbstractHTTP2ServerConnectionFactory h2 = connector.getConnectionFactory(AbstractHTTP2ServerConnectionFactory.class);
++ h2.setRateControlFactory(new RateControl.Factory() {});
+
+ // Only one connection to the server.
+ Session session = newClient(new Session.Listener.Adapter());
+diff --git a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/HTTP2Session.java b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/HTTP2Session.java
+index 793982a..90ee27c 100644
+--- a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/HTTP2Session.java
++++ b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/HTTP2Session.java
+@@ -471,8 +471,17 @@ public abstract class HTTP2Session extends ContainerLifeCycle implements ISessio
+ }
+ else
+ {
+- if (!isStreamClosed(streamId))
++ if (isStreamClosed(streamId))
++ {
++ // SPEC: this case must not be treated as an error.
++ // However, we want to rate control it.
++ if (!rateControlOnEvent(frame))
++ onConnectionFailure(ErrorCode.ENHANCE_YOUR_CALM_ERROR.code, "invalid_window_update_frame_rate");
++ }
++ else
++ {
+ onConnectionFailure(ErrorCode.PROTOCOL_ERROR.code, "unexpected_window_update_frame");
++ }
+ }
+ }
+ else
+@@ -616,14 +625,26 @@ public abstract class HTTP2Session extends ContainerLifeCycle implements ISessio
+
+ void reset(IStream stream, ResetFrame frame, Callback callback)
+ {
+- control(stream, Callback.from(() ->
++ if (rateControlOnEvent(frame))
+ {
+- if (stream != null)
++ control(stream, Callback.from(() ->
+ {
+- stream.close();
+- removeStream(stream);
+- }
+- }, callback), frame);
++ if (stream != null)
++ {
++ stream.close();
++ removeStream(stream);
++ }
++ }, callback), frame);
++ }
++ else
++ {
++ onConnectionFailure(ErrorCode.ENHANCE_YOUR_CALM_ERROR.code, "invalid_rst_stream_frame_rate");
++ }
++ }
++
++ private boolean rateControlOnEvent(Object event)
++ {
++ return getParser().rateControlOnEvent(event);
+ }
+
+ /**
+diff --git a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/BodyParser.java b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/BodyParser.java
+index 1ad3e3d..c465015 100644
+--- a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/BodyParser.java
++++ b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/BodyParser.java
+@@ -231,7 +231,7 @@ public abstract class BodyParser
+ protected boolean streamFailure(int streamId, int error, String reason)
+ {
+ notifyStreamFailure(streamId, error, reason);
+- return false;
++ return true;
+ }
+
+ private void notifyStreamFailure(int streamId, int error, String reason)
+@@ -248,6 +248,6 @@ public abstract class BodyParser
+
+ protected boolean rateControlOnEvent(Object o)
+ {
+- return headerParser.getRateControl().onEvent(o);
++ return headerParser.rateControlOnEvent(o);
+ }
+ }
+diff --git a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/HeaderParser.java b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/HeaderParser.java
+index 7e21ae9..da9770a 100644
+--- a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/HeaderParser.java
++++ b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/HeaderParser.java
+@@ -48,6 +48,11 @@ public class HeaderParser
+ return rateControl;
+ }
+
++ boolean rateControlOnEvent(Object o)
++ {
++ return getRateControl().onEvent(o);
++ }
++
+ protected void reset()
+ {
+ state = State.LENGTH;
+diff --git a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/Parser.java b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/Parser.java
+index e4fb61e..cdbd393 100644
+--- a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/Parser.java
++++ b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/Parser.java
+@@ -91,6 +91,11 @@ public class Parser
+ bodyParsers[FrameType.CONTINUATION.getType()] = new ContinuationBodyParser(headerParser, listener, headerBlockParser, headerBlockFragments);
+ }
+
++ public boolean rateControlOnEvent(Object event)
++ {
++ return headerParser.rateControlOnEvent(event);
++ }
++
+ private void reset()
+ {
+ headerParser.reset();
+diff --git a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/WindowUpdateBodyParser.java b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/WindowUpdateBodyParser.java
+index 4da9ed6..8792e37 100644
+--- a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/WindowUpdateBodyParser.java
++++ b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/parser/WindowUpdateBodyParser.java
+@@ -94,15 +94,16 @@ public class WindowUpdateBodyParser extends BodyParser
+ private boolean onWindowUpdate(ByteBuffer buffer, int windowDelta)
+ {
+ int streamId = getStreamId();
++ WindowUpdateFrame frame = new WindowUpdateFrame(streamId, windowDelta);
++ reset();
+ if (windowDelta == 0)
+ {
+ if (streamId == 0)
+ return connectionFailure(buffer, ErrorCode.PROTOCOL_ERROR.code, "invalid_window_update_frame");
+- else
++ if (rateControlOnEvent(frame))
+ return streamFailure(streamId, ErrorCode.PROTOCOL_ERROR.code, "invalid_window_update_frame");
++ return connectionFailure(buffer, ErrorCode.ENHANCE_YOUR_CALM_ERROR.code, "invalid_window_update_frame_rate");
+ }
+- WindowUpdateFrame frame = new WindowUpdateFrame(streamId, windowDelta);
+- reset();
+ notifyWindowUpdate(frame);
+ return true;
+ }
+diff --git a/jetty-http2/http2-server/src/main/config/etc/jetty-http2.xml b/jetty-http2/http2-server/src/main/config/etc/jetty-http2.xml
+index 398ac69..2ff5686 100644
+--- a/jetty-http2/http2-server/src/main/config/etc/jetty-http2.xml
++++ b/jetty-http2/http2-server/src/main/config/etc/jetty-http2.xml
+@@ -12,7 +12,7 @@
+
+
+
+-
++
+
+
+
+diff --git a/jetty-http2/http2-server/src/main/config/etc/jetty-http2c.xml b/jetty-http2/http2-server/src/main/config/etc/jetty-http2c.xml
+index be65555..75423b3 100644
+--- a/jetty-http2/http2-server/src/main/config/etc/jetty-http2c.xml
++++ b/jetty-http2/http2-server/src/main/config/etc/jetty-http2c.xml
+@@ -11,7 +11,7 @@
+
+
+
+-
++
+
+
+
+diff --git a/jetty-http2/http2-server/src/main/config/modules/http2.mod b/jetty-http2/http2-server/src/main/config/modules/http2.mod
+index 46cb596..a16472c 100644
+--- a/jetty-http2/http2-server/src/main/config/modules/http2.mod
++++ b/jetty-http2/http2-server/src/main/config/modules/http2.mod
+@@ -34,4 +34,4 @@ etc/jetty-http2.xml
+ # jetty.http2.maxSettingsKeys=64
+
+ ## Max number of bad frames and pings per second
+-# jetty.http2.rateControl.maxEventsPerSecond=20
++# jetty.http2.rateControl.maxEventsPerSecond=128
+diff --git a/jetty-http2/http2-server/src/main/config/modules/http2c.mod b/jetty-http2/http2-server/src/main/config/modules/http2c.mod
+index aae7e6d..f378bee 100644
+--- a/jetty-http2/http2-server/src/main/config/modules/http2c.mod
++++ b/jetty-http2/http2-server/src/main/config/modules/http2c.mod
+@@ -29,4 +29,4 @@ etc/jetty-http2c.xml
+ # jetty.http2.maxSettingsKeys=64
+
+ ## Max number of bad frames and pings per second
+-# jetty.http2.rateControl.maxEventsPerSecond=20
++# jetty.http2.rateControl.maxEventsPerSecond=128
+diff --git a/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/DemoBaseTests.java b/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/DemoBaseTests.java
+index 54140d4..6ea8c8e 100644
+--- a/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/DemoBaseTests.java
++++ b/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/DemoBaseTests.java
+@@ -174,7 +174,7 @@ public class DemoBaseTests extends AbstractDistributionTest
+ startHttpClient();
+ ContentResponse response = client.GET("http://localhost:" + httpPort + "/proxy/current/");
+ assertEquals(HttpStatus.OK_200, response.getStatus());
+- assertThat("Expecting APIdoc contents", response.getContentAsString(), containsString("All Classes"));
++ assertThat("Expecting APIdoc contents", response.getContentAsString(), containsString("javadoc"));
+ }
+ }
+
+--
+2.47.3
+
diff --git a/jetty.spec b/jetty.spec
index 4545c616a17326c5263e95d50b7171142f8148b7..fb4ab25ad9613d56ac627a46e76e70a64b96355f 100644
--- a/jetty.spec
+++ b/jetty.spec
@@ -1,4 +1,4 @@
-%define anolis_release 6
+%define anolis_release 7
%bcond_without bootstrap
@@ -88,6 +88,8 @@ Patch9: 0005-Fix-CVE-2024-6762-3.patch
Patch10: 0006-Fix-CVE-2024-8184.patch
# https://github.com/jetty/jetty.project/pull/8146
Patch11: 0007-Fix-CVE-2022-2047.patch
+# https://github.com/jetty/jetty.project/pull/13461
+Patch12: 0008-Fix-CVE-2025-5115.patch
%if %{with bootstrap}
BuildRequires: javapackages-bootstrap
@@ -624,6 +626,7 @@ License: (ASL 2.0 or EPL-1.0) and MIT
%patch9 -p1
%patch10 -p1
%patch11 -p1
+%patch12 -p1
find . -name "*.?ar" -exec rm {} \;
find . -name "*.class" -exec rm {} \;
@@ -1007,6 +1010,9 @@ exit 0
%license LICENSE NOTICE.txt LICENSE-MIT
%changelog
+* Wed Sep 24 2025 wh02252983 - 9.4.43-7
+- add patch to fix CVE-2025-5115
+
* Thu Aug 07 2025 wenxin - 9.4.43-6
- add patch to fix CVE-2022-2047