Lucene search

K
debianDebianDEBIAN:DLA-3408-1:C564E
HistoryApr 30, 2023 - 8:58 p.m.

[SECURITY] [DLA 3408-1] jruby security update

2023-04-3020:58:08
lists.debian.org
24
http server vulnerabilities
debian lts advisory
java implementation
jruby
upgrade
ruby programming language
buster
security update
debian 10
multiple cves

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.011

Percentile

84.4%


Debian LTS Advisory DLA-3408-1 [email protected]
https://www.debian.org/lts/security/ Adrian Bunk
April 30, 2023 https://wiki.debian.org/LTS


Package : jruby
Version : 9.1.17.0-3+deb10u1
CVE ID : CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255
CVE-2020-25613 CVE-2021-31810 CVE-2021-32066 CVE-2023-28755
CVE-2023-28756
Debian Bug : 972230 1014818

Several vulnerabilities were fixed in JRuby, a Java implementation of
the Ruby programming language.

CVE-2017-17742
CVE-2019-16254

HTTP Response Splitting attacks in the HTTP server of WEBrick.

CVE-2019-16201

Regular Expression Denial of Service vulnerability of WEBrick's 
Digest access authentication.

CVE-2019-16255

Code injection vulnerability of Shell#[] and Shell#test.

CVE-2020-25613

HTTP Request Smuggling attack in WEBrick.

CVE-2021-31810

Trusting FTP PASV responses vulnerability in Net::FTP.

CVE-2021-32066

Net::IMAP did not raise an exception when StartTLS fails with an an 
unknown response.

CVE-2023-28755

Quadratic backtracking on invalid URI.

CVE-2023-28756

The Time parser mishandled invalid strings that have specific characters.

For Debian 10 buster, these problems have been fixed in version
9.1.17.0-3+deb10u1.

We recommend that you upgrade your jruby packages.

For the detailed security status of jruby please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jruby

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.011

Percentile

84.4%