This bug was fixed in the package jetty9 - 9.4.15-1~18.04.1ubuntu1

---------------
jetty9 (9.4.15-1~18.04.1ubuntu1) bionic; urgency=medium

  [ Matthias Klose ]
  * Backport for OpenJDK 11. LP: #1817567.

  [ Tiago Stürmer Daitx ]
  * debian/jetty9.init, debian/jetty9.default: revert conffiles to
    previous version, this allows unattended-upgrades to update the
    package even when there are local changes.

jetty9 (9.4.15-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - New build dependency on libjboss-logging-java
    - Ignore the new jetty-websocket-tests module
  * Standards-Version updated to 4.3.0

jetty9 (9.4.14-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - Ignore the new test dependencies
    - Build the new modules: jetty-alpn-java-*, jetty-alpn-openjdk8-*,
      jetty-http2-*, jetty-cdi-* and jetty-unixsocket
    - Ignore the new optional modules: jetty-alpn-conscrypt-*, jetty-memcached,
      jetty-cdi-servlet, jetty-gcloud, jetty-hazelcast and jetty-infinispan
    - No longer build the removed modules: jetty-monitor and jetty-rhttp-*
    - Updated the Maven rules
    - Derive the content of the jetty9 package from the output
      of the jetty-distribution module
    - Require Java 8 or higher to run
    - Depend on libasm-java (>= 7.0)
    - Updated the links in /usr/share/jetty9/lib/
    - Added jetty-util.jar to the classpath of jetty-start.jar
  * Added a systemd service file
  * Removed the default 256M heap limit
  * Removed the NO_START option from the service configuration
  * Depend on libtomcat9-java instead of libtomcat8-java
  * Don't follow the symlinks when setting the owner of the /var/cache/jetty9,
    /var/log/jetty9 and /var/lib/jetty9 directories in the postinst script
  * Updated the README file (Closes: #906770)
  * Exclude the documentation directory from the upstream tarball

jetty9 (9.2.26-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Fixed the Maven rule for tomcat-jaspic-api (Closes: #907147)
  * Standards-Version updated to 4.2.1

jetty9 (9.2.25-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Fixes CVE-2017-7656: A remote user can submit a specially crafted HTTP/0.9
      request containing invalid request headers to cause Jetty and an upstream
      HTTP agent (such as an origin server or another proxy) to interpret the
      boundary of the HTTP request differently. As a result, a malicious request
      may be embedded within another request as processed by the subsequent
      system. This allows a remote user to potentially poison the cache.
    - Fixes CVE-2017-7657: A remote user can submit a specially crafted HTTP
      request containing invalid Chunked Transfer-Encoding headers to cause
      Jetty and an upstream HTTP agent (such as an origin server or another
      proxy) to interpret the boundary of the HTTP request differently.
      As a result, a malicious request may be embedded within another request
      as processed by the subsequent system. This allows a remote user to
      potentially poison the cache.
    - Fixes CVE-2017-7658: A remote user can submit a specially crafted HTTP
      request containing more than one Content-Length header to cause Jetty
      and an upstream HTTP agent (such as an origin server or another proxy)
      to interpret the boundary of the HTTP request differently. As a result,
      a malicious request may be embedded within another request as processed
      by the subsequent system. This allows a remote user to potentially poison
      the cache.
  * Compile with the --release parameter to preserve the compatibility
    with older JREs

jetty9 (9.2.24-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Standards-Version updated to 4.1.4
  * Switch to debhelper level 11
  * Use salsa.debian.org Vcs-* URLs

 -- Tiago Stürmer Daitx <email address hidden>  Wed, 10 Apr 2019 02:50:32 +0000