DebianDEBIAN:DLA-3408-1:C564E[SECURITY] [DLA 3408-1] jruby security update
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.0%
Debian LTS Advisory DLA-3408-1 [email protected]
https://www.debian.org/lts/security/ Adrian Bunk
April 30, 2023 https://wiki.debian.org/LTS
Package : jruby
Version : 9.1.17.0-3+deb10u1
CVE ID : CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255
CVE-2020-25613 CVE-2021-31810 CVE-2021-32066 CVE-2023-28755
CVE-2023-28756
Debian Bug : 972230 1014818
Several vulnerabilities were fixed in JRuby, a Java implementation of
the Ruby programming language.
CVE-2017-17742
CVE-2019-16254
HTTP Response Splitting attacks in the HTTP server of WEBrick.
CVE-2019-16201
Regular Expression Denial of Service vulnerability of WEBrick's
Digest access authentication.
CVE-2019-16255
Code injection vulnerability of Shell#[] and Shell#test.
CVE-2020-25613
HTTP Request Smuggling attack in WEBrick.
CVE-2021-31810
Trusting FTP PASV responses vulnerability in Net::FTP.
CVE-2021-32066
Net::IMAP did not raise an exception when StartTLS fails with an an
unknown response.
CVE-2023-28755
Quadratic backtracking on invalid URI.
CVE-2023-28756
The Time parser mishandled invalid strings that have specific characters.
For Debian 10 buster, these problems have been fixed in version
9.1.17.0-3+deb10u1.
We recommend that you upgrade your jruby packages.
For the detailed security status of jruby please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jruby
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 9 | mips | ruby2.3-dbgsym | < 2.3.3-1+deb9u7 | ruby2.3-dbgsym_2.3.3-1+deb9u7_mips.deb |
| Debian | 10 | all | ruby2.5 | < 2.5.5-3+deb10u1 | ruby2.5_2.5.5-3+deb10u1_all.deb |
| Debian | 8 | armel | ruby2.1 | < 2.1.5-2+deb8u8 | ruby2.1_2.1.5-2+deb8u8_armel.deb |
| Debian | 9 | mips64el | ruby2.3-dbgsym | < 2.3.3-1+deb9u7 | ruby2.3-dbgsym_2.3.3-1+deb9u7_mips64el.deb |
| Debian | 9 | arm64 | libruby2.3 | < 2.3.3-1+deb9u7 | libruby2.3_2.3.3-1+deb9u7_arm64.deb |
| Debian | 9 | mips | ruby2.3 | < 2.3.3-1+deb9u7 | ruby2.3_2.3.3-1+deb9u7_mips.deb |
| Debian | 8 | armel | ruby2.1-tcltk | < 2.1.5-2+deb8u8 | ruby2.1-tcltk_2.1.5-2+deb8u8_armel.deb |
| Debian | 9 | arm64 | libruby2.3-dbgsym | < 2.3.3-1+deb9u7 | libruby2.3-dbgsym_2.3.3-1+deb9u7_arm64.deb |
| Debian | 9 | s390x | ruby2.3-dbgsym | < 2.3.3-1+deb9u7 | ruby2.3-dbgsym_2.3.3-1+deb9u7_s390x.deb |
| Debian | 9 | armel | ruby2.3 | < 2.3.3-1+deb9u7 | ruby2.3_2.3.3-1+deb9u7_armel.deb |
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.0%