Debian LTS: DLA-1796-1: jruby security update

    Date 20 May 2019
    Posted By LinuxSecurity Advisories
    Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language.
    Package        : jruby
    Version        : 1.5.6-9+deb8u1
    CVE ID         : CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076
                     CVE-2018-1000077 CVE-2018-1000078 CVE-2019-8321
                     CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325
    Debian Bug     : 895778 925987
    Multiple vulnerabilities have been discovered in jruby, Java
    implementation of the Ruby programming language.
        Deserialization of Untrusted Data vulnerability in owner command
        that can result in code execution. This attack appear to be
        exploitable via victim must run the `gem owner` command on a gem
        with a specially crafted YAML file
        an infinite loop caused by negative size vulnerability in ruby gem
        package tar header that can result in a negative size could cause an
        infinite loop
        Improper Verification of Cryptographic Signature vulnerability in
        package.rb that can result in a mis-signed gem could be installed,
        as the tarball would contain multiple gem signatures.
        Improper Input Validation vulnerability in ruby gems specification
        homepage attribute that can result in a malicious gem could set an
        invalid homepage URL
        Cross Site Scripting (XSS) vulnerability in gem server display of
        homepage attribute that can result in XSS. This attack appear to be
        exploitable via the victim must browse to a malicious gem on a
        vulnerable gem server
        Gem::UserInteraction#verbose calls say without escaping, escape
        sequence injection is possible
        The gem owner command outputs the contents of the API response
        directly to stdout. Therefore, if the response is crafted, escape
        sequence injection may occur
        Gem::GemcutterUtilities#with_response may output the API response to
        stdout as it is. Therefore, if the API side modifies the response,
        escape sequence injection may occur.
        A crafted gem with a multi-line name is not handled correctly.
        Therefore, an attacker could inject arbitrary code to the stub line
        of gemspec
        Gem::CommandManager#run calls alert_error without escaping, escape
        sequence injection is possible. (There are many ways to cause an
    For Debian 8 "Jessie", these problems have been fixed in version
    We recommend that you upgrade your jruby packages.
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at:

    LinuxSecurity Poll

    Do you feel that the Lawful Access to Encrypted Data Act, which aims to force encryption backdoors, is a threat to US citizens' privacy?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"106","title":"Yes - I am a privacy advocate and I am strongly opposed to this bill.","votes":"22","type":"x","order":"1","pct":95.65,"resources":[]},{"id":"107","title":"I'm undecided - it has its pros and cons.","votes":"1","type":"x","order":"2","pct":4.35,"resources":[]},{"id":"108","title":"No - I support this bill and feel that it will help protect against crime and threats to our national security. ","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200


    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.