Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Debian 7 Wheezy DLA-1337-1 Critical: JRuby Multiple Issues Resolved

debian lts
Calendar Grey April 2, 2018
Dist Debian Esm H88
Several security flaws in the rubygems component of jruby have been resolved in update version 1.5.6-5+deb7u1 for Debian 7 Wheezy.
Multiple vulnerabilities were found in the rubygems package management framework, embedded in JRuby, a pure-Java implementation of the Ruby programming language

Summary

A negative size vulnerability in ruby gem package tar header that could
cause an infinite loop.

CVE-2018-1000076

Ruby gems package improperly verifies cryptographic signatures. A mis-signed
gem could be installed if the tarball contains multiple gem signatures.

CVE-2018-1000077

An improper input validation vulnerability in ruby gems specification
homepage attribute could allow malicious gem to set an invalid homepage
URL.

CVE-2018-1000078

Cross Site Scripting (XSS) vulnerability in gem server display of homepage
attribute

For Debian 7 "Wheezy", these problems have been fixed in version
1.5.6-5+deb7u1.

We recommend that you upgrade your jruby packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
critical
Lowest
Low
Medium
High
Critical

<pre><font face="Courier">Package: jruby
Version: 1.5.6-5+deb7u1
CVE ID: CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here