Lucene search

DebianDEBIAN:DLA-2330-1:B8DE4

HistoryAug 16, 2020 - 1:13 p.m.

[SECURITY] [DLA 2330-1] jruby security update

2020-08-1613:13:11

lists.debian.org

129

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

50.2%

JSON

Debian LTS Advisory DLA-2330-1 [email protected]
https://www.debian.org/lts/security/
August 16, 2020 https://wiki.debian.org/LTS

Package : jruby
Version : 1.7.26-1+deb9u2
CVE ID : CVE-2017-17742 CVE-2019-8320 CVE-2019-8321 CVE-2019-8322
CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 CVE-2019-16201
CVE-2019-16254 CVE-2019-16255
Debian Bug : 925987

Several vulnerabilities were fixed in JRuby,
a 100% pure-Java implementation of Ruby.

CVE-2017-17742
CVE-2019-16254

HTTP Response Splitting attacks in the HTTP server of WEBrick.

CVE-2019-16201

Regular Expression Denial of Service vulnerability of WEBrick&#x27;s 
Digest access authentication.

CVE-2019-8320

Delete directory using symlink when decompressing tar.

CVE-2019-8321

Escape sequence injection vulnerability in verbose.

CVE-2019-8322

Escape sequence injection vulnerability in gem owner.

CVE-2019-8323

Escape sequence injection vulnerability in API response handling.

CVE-2019-8324

Installing a malicious gem may lead to arbitrary code execution.

CVE-2019-8325

Escape sequence injection vulnerability in errors.

CVE-2019-16255

Code injection vulnerability of Shell#[] and Shell#test.

For Debian 9 stretch, these problems have been fixed in version
1.7.26-1+deb9u2.

We recommend that you upgrade your jruby packages.

For the detailed security status of jruby please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jruby

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9ppc64elruby2.3-dev< 2.3.3-1+deb9u6ruby2.3-dev_2.3.3-1+deb9u6_ppc64el.deb
Debian8armelruby2.1-tcltk< 2.1.5-2+deb8u7ruby2.1-tcltk_2.1.5-2+deb8u7_armel.deb
Debian9s390xruby2.3-dbgsym< 2.3.3-1+deb9u6ruby2.3-dbgsym_2.3.3-1+deb9u6_s390x.deb
Debian9arm64ruby2.3-dev< 2.3.3-1+deb9u6ruby2.3-dev_2.3.3-1+deb9u6_arm64.deb
Debian8armhflibruby2.1< 2.1.5-2+deb8u7libruby2.1_2.1.5-2+deb8u7_armhf.deb
Debian8i386ruby2.1-dev< 2.1.5-2+deb8u7ruby2.1-dev_2.1.5-2+deb8u7_i386.deb
Debian9s390xlibruby2.3-dbgsym< 2.3.3-1+deb9u6libruby2.3-dbgsym_2.3.3-1+deb9u6_s390x.deb
Debian9arm64libruby2.3-dbgsym< 2.3.3-1+deb9u6libruby2.3-dbgsym_2.3.3-1+deb9u6_arm64.deb
Debian8i386ruby2.1< 2.1.5-2+deb8u7ruby2.1_2.1.5-2+deb8u7_i386.deb
Debian8i386libruby2.1< 2.1.5-2+deb8u7libruby2.1_2.1.5-2+deb8u7_i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	ppc64el	ruby2.3-dev	< 2.3.3-1+deb9u6	ruby2.3-dev_2.3.3-1+deb9u6_ppc64el.deb
Debian	8	armel	ruby2.1-tcltk	< 2.1.5-2+deb8u7	ruby2.1-tcltk_2.1.5-2+deb8u7_armel.deb
Debian	9	s390x	ruby2.3-dbgsym	< 2.3.3-1+deb9u6	ruby2.3-dbgsym_2.3.3-1+deb9u6_s390x.deb
Debian	9	arm64	ruby2.3-dev	< 2.3.3-1+deb9u6	ruby2.3-dev_2.3.3-1+deb9u6_arm64.deb
Debian	8	armhf	libruby2.1	< 2.1.5-2+deb8u7	libruby2.1_2.1.5-2+deb8u7_armhf.deb
Debian	8	i386	ruby2.1-dev	< 2.1.5-2+deb8u7	ruby2.1-dev_2.1.5-2+deb8u7_i386.deb
Debian	9	s390x	libruby2.3-dbgsym	< 2.3.3-1+deb9u6	libruby2.3-dbgsym_2.3.3-1+deb9u6_s390x.deb
Debian	9	arm64	libruby2.3-dbgsym	< 2.3.3-1+deb9u6	libruby2.3-dbgsym_2.3.3-1+deb9u6_arm64.deb
Debian	8	i386	ruby2.1	< 2.1.5-2+deb8u7	ruby2.1_2.1.5-2+deb8u7_i386.deb
Debian	8	i386	libruby2.1	< 2.1.5-2+deb8u7	libruby2.1_2.1.5-2+deb8u7_i386.deb