Lucene search

DebianDEBIAN:DLA-2392-1:1A0A2

HistoryOct 01, 2020 - 3:52 p.m.

[SECURITY] [DLA 2392-1] jruby security update

2020-10-0115:52:45

lists.debian.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.7 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.4%

JSON

Debian LTS Advisory DLA-2392-1 [email protected]
https://www.debian.org/lts/security/ Utkarsh Gupta
October 01, 2020 https://wiki.debian.org/LTS

Package : jruby
Version : 1.7.26-1+deb9u3
CVE ID : CVE-2020-25613

A potential HTTP request smuggling vulnerability in WEBrick
was reported.

WEBrick (bundled along with jruby) was too tolerant against
an invalid Transfer-Encoding header. This may lead to
inconsistent interpretation between WEBrick and some HTTP proxy
servers, which may allow the attacker to “smuggle” a request.

For Debian 9 stretch, this problem has been fixed in version
1.7.26-1+deb9u3.

We recommend that you upgrade your jruby packages.

For the detailed security status of jruby please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jruby

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10mipselruby2.5-dbgsym< 2.5.5-3+deb10u3ruby2.5-dbgsym_2.5.5-3+deb10u3_mipsel.deb
Debian9armelruby2.3< 2.3.3-1+deb9u9ruby2.3_2.3.3-1+deb9u9_armel.deb
Debian10s390xruby2.5-dbgsym< 2.5.5-3+deb10u3ruby2.5-dbgsym_2.5.5-3+deb10u3_s390x.deb
Debian10mips64ellibruby2.5< 2.5.5-3+deb10u3libruby2.5_2.5.5-3+deb10u3_mips64el.deb
Debian10i386ruby2.5< 2.5.5-3+deb10u3ruby2.5_2.5.5-3+deb10u3_i386.deb
Debian9amd64ruby2.3-tcltk< 2.3.3-1+deb9u9ruby2.3-tcltk_2.3.3-1+deb9u9_amd64.deb
Debian9i386libruby2.3< 2.3.3-1+deb9u9libruby2.3_2.3.3-1+deb9u9_i386.deb
Debian9i386ruby2.3< 2.3.3-1+deb9u9ruby2.3_2.3.3-1+deb9u9_i386.deb
Debian10amd64ruby2.5< 2.5.5-3+deb10u3ruby2.5_2.5.5-3+deb10u3_amd64.deb
Debian10ppc64elruby2.5-dev< 2.5.5-3+deb10u3ruby2.5-dev_2.5.5-3+deb10u3_ppc64el.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	mipsel	ruby2.5-dbgsym	< 2.5.5-3+deb10u3	ruby2.5-dbgsym_2.5.5-3+deb10u3_mipsel.deb
Debian	9	armel	ruby2.3	< 2.3.3-1+deb9u9	ruby2.3_2.3.3-1+deb9u9_armel.deb
Debian	10	s390x	ruby2.5-dbgsym	< 2.5.5-3+deb10u3	ruby2.5-dbgsym_2.5.5-3+deb10u3_s390x.deb
Debian	10	mips64el	libruby2.5	< 2.5.5-3+deb10u3	libruby2.5_2.5.5-3+deb10u3_mips64el.deb
Debian	10	i386	ruby2.5	< 2.5.5-3+deb10u3	ruby2.5_2.5.5-3+deb10u3_i386.deb
Debian	9	amd64	ruby2.3-tcltk	< 2.3.3-1+deb9u9	ruby2.3-tcltk_2.3.3-1+deb9u9_amd64.deb
Debian	9	i386	libruby2.3	< 2.3.3-1+deb9u9	libruby2.3_2.3.3-1+deb9u9_i386.deb
Debian	9	i386	ruby2.3	< 2.3.3-1+deb9u9	ruby2.3_2.3.3-1+deb9u9_i386.deb
Debian	10	amd64	ruby2.5	< 2.5.5-3+deb10u3	ruby2.5_2.5.5-3+deb10u3_amd64.deb
Debian	10	ppc64el	ruby2.5-dev	< 2.5.5-3+deb10u3	ruby2.5-dev_2.5.5-3+deb10u3_ppc64el.deb