Debian LTS: DLA-1796-1: jruby security update

    Date20 May 2019
    CategoryDebian LTS
    Posted ByLinuxSecurity Advisories
    Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language.
    Package        : jruby
    Version        : 1.5.6-9+deb8u1
    CVE ID         : CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076
                     CVE-2018-1000077 CVE-2018-1000078 CVE-2019-8321
                     CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325
    Debian Bug     : 895778 925987
    Multiple vulnerabilities have been discovered in jruby, Java
    implementation of the Ruby programming language.
        Deserialization of Untrusted Data vulnerability in owner command
        that can result in code execution. This attack appear to be
        exploitable via victim must run the `gem owner` command on a gem
        with a specially crafted YAML file
        an infinite loop caused by negative size vulnerability in ruby gem
        package tar header that can result in a negative size could cause an
        infinite loop
        Improper Verification of Cryptographic Signature vulnerability in
        package.rb that can result in a mis-signed gem could be installed,
        as the tarball would contain multiple gem signatures.
        Improper Input Validation vulnerability in ruby gems specification
        homepage attribute that can result in a malicious gem could set an
        invalid homepage URL
        Cross Site Scripting (XSS) vulnerability in gem server display of
        homepage attribute that can result in XSS. This attack appear to be
        exploitable via the victim must browse to a malicious gem on a
        vulnerable gem server
        Gem::UserInteraction#verbose calls say without escaping, escape
        sequence injection is possible
        The gem owner command outputs the contents of the API response
        directly to stdout. Therefore, if the response is crafted, escape
        sequence injection may occur
        Gem::GemcutterUtilities#with_response may output the API response to
        stdout as it is. Therefore, if the API side modifies the response,
        escape sequence injection may occur.
        A crafted gem with a multi-line name is not handled correctly.
        Therefore, an attacker could inject arbitrary code to the stub line
        of gemspec
        Gem::CommandManager#run calls alert_error without escaping, escape
        sequence injection is possible. (There are many ways to cause an
    For Debian 8 "Jessie", these problems have been fixed in version
    We recommend that you upgrade your jruby packages.
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at:
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"7","type":"x","order":"1","pct":58.33,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":25,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"2","type":"x","order":"3","pct":16.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350


    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.