Debian LTS: DLA-1796-1: jruby security update

    Date20 May 2019
    CategoryDebian LTS
    580
    Posted ByLinuxSecurity Advisories
    Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language.
    
    Package        : jruby
    Version        : 1.5.6-9+deb8u1
    CVE ID         : CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076
                     CVE-2018-1000077 CVE-2018-1000078 CVE-2019-8321
                     CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325
    Debian Bug     : 895778 925987
    
    
    Multiple vulnerabilities have been discovered in jruby, Java
    implementation of the Ruby programming language.
    
    CVE-2018-1000074
    
        Deserialization of Untrusted Data vulnerability in owner command
        that can result in code execution. This attack appear to be
        exploitable via victim must run the `gem owner` command on a gem
        with a specially crafted YAML file
    
    CVE-2018-1000075
    
        an infinite loop caused by negative size vulnerability in ruby gem
        package tar header that can result in a negative size could cause an
        infinite loop
    
    CVE-2018-1000076
    
        Improper Verification of Cryptographic Signature vulnerability in
        package.rb that can result in a mis-signed gem could be installed,
        as the tarball would contain multiple gem signatures.
    
    CVE-2018-1000077
    
        Improper Input Validation vulnerability in ruby gems specification
        homepage attribute that can result in a malicious gem could set an
        invalid homepage URL
    
    CVE-2018-1000078
    
        Cross Site Scripting (XSS) vulnerability in gem server display of
        homepage attribute that can result in XSS. This attack appear to be
        exploitable via the victim must browse to a malicious gem on a
        vulnerable gem server
    
    CVE-2019-8321
    
        Gem::UserInteraction#verbose calls say without escaping, escape
        sequence injection is possible
    
    CVE-2019-8322
    
        The gem owner command outputs the contents of the API response
        directly to stdout. Therefore, if the response is crafted, escape
        sequence injection may occur
    
    CVE-2019-8323
    
        Gem::GemcutterUtilities#with_response may output the API response to
        stdout as it is. Therefore, if the API side modifies the response,
        escape sequence injection may occur.
    
    CVE-2019-8324
    
        A crafted gem with a multi-line name is not handled correctly.
        Therefore, an attacker could inject arbitrary code to the stub line
        of gemspec
    
    CVE-2019-8325
    
        Gem::CommandManager#run calls alert_error without escaping, escape
        sequence injection is possible. (There are many ways to cause an
        error.)
    
    For Debian 8 "Jessie", these problems have been fixed in version
    1.5.6-9+deb8u1.
    
    We recommend that you upgrade your jruby packages.
    
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://wiki.debian.org/LTS
    
    You are not authorised to post comments.

    ccommentViewComments Object ( [document] => [_name:protected] => comments [_models:protected] => Array ( ) [_basePath:protected] => /var/www/www.linuxsecurity.com-443/html/components/com_comment [_defaultModel:protected] => [_layout:protected] => default [_layoutExt:protected] => php [_layoutTemplate:protected] => _ [_path:protected] => Array ( [template] => Array ( [0] => /var/www/www.linuxsecurity.com-443/html/templates/shaperhelix_child/html/com_comment/templates/default/ [1] => /var/www/www.linuxsecurity.com-443/html/components/com_comment/templates/default/ [2] => /var/www/www.linuxsecurity.com-443/html/templates/shaperhelix_child/html/com_content/comments/ [3] => /var/www/www.linuxsecurity.com-443/html/components/com_comment/views/comments/tmpl/ ) [helper] => Array ( [0] => /var/www/www.linuxsecurity.com-443/html/components/com_comment/helpers/ ) ) [_template:protected] => /var/www/www.linuxsecurity.com-443/html/components/com_comment/templates/default/default_menu.php [_output:protected] => [_escape:protected] => htmlspecialchars [_charset:protected] => UTF-8 [_errors:protected] => Array ( ) [baseurl] => [plugin] => CcommentComponentContentPlugin Object ( [row] => stdClass Object ( [id] => 268063 [asset_id] => 0 [title] => Debian LTS: DLA-1796-1: jruby security update [alias] => debian-lts-dla-1796-1-jruby-security-update [introtext] => Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language. [fulltext] =>
    
    Package        : jruby
    Version        : 1.5.6-9+deb8u1
    CVE ID         : CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076
                     CVE-2018-1000077 CVE-2018-1000078 CVE-2019-8321
                     CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325
    Debian Bug     : 895778 925987
    
    
    Multiple vulnerabilities have been discovered in jruby, Java
    implementation of the Ruby programming language.
    
    CVE-2018-1000074
    
        Deserialization of Untrusted Data vulnerability in owner command
        that can result in code execution. This attack appear to be
        exploitable via victim must run the `gem owner` command on a gem
        with a specially crafted YAML file
    
    CVE-2018-1000075
    
        an infinite loop caused by negative size vulnerability in ruby gem
        package tar header that can result in a negative size could cause an
        infinite loop
    
    CVE-2018-1000076
    
        Improper Verification of Cryptographic Signature vulnerability in
        package.rb that can result in a mis-signed gem could be installed,
        as the tarball would contain multiple gem signatures.
    
    CVE-2018-1000077
    
        Improper Input Validation vulnerability in ruby gems specification
        homepage attribute that can result in a malicious gem could set an
        invalid homepage URL
    
    CVE-2018-1000078
    
        Cross Site Scripting (XSS) vulnerability in gem server display of
        homepage attribute that can result in XSS. This attack appear to be
        exploitable via the victim must browse to a malicious gem on a
        vulnerable gem server
    
    CVE-2019-8321
    
        Gem::UserInteraction#verbose calls say without escaping, escape
        sequence injection is possible
    
    CVE-2019-8322
    
        The gem owner command outputs the contents of the API response
        directly to stdout. Therefore, if the response is crafted, escape
        sequence injection may occur
    
    CVE-2019-8323
    
        Gem::GemcutterUtilities#with_response may output the API response to
        stdout as it is. Therefore, if the API side modifies the response,
        escape sequence injection may occur.
    
    CVE-2019-8324
    
        A crafted gem with a multi-line name is not handled correctly.
        Therefore, an attacker could inject arbitrary code to the stub line
        of gemspec
    
    CVE-2019-8325
    
        Gem::CommandManager#run calls alert_error without escaping, escape
        sequence injection is possible. (There are many ways to cause an
        error.)
    
    For Debian 8 "Jessie", these problems have been fixed in version
    1.5.6-9+deb8u1.
    
    We recommend that you upgrade your jruby packages.
    
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://wiki.debian.org/LTS
    
    [state] => 1 [catid] => 197 [created] => 2019-05-20 12:36:00 [created_by] => 62 [created_by_alias] => LinuxSecurity.com Team [modified] => 2019-05-20 12:36:00 [modified_by] => 0 [checked_out] => 0 [checked_out_time] => 0000-00-00 00:00:00 [publish_up] => 2019-05-20 12:36:00 [publish_down] => 0000-00-00 00:00:00 [images] => {"image_fulltext_alt":"'Debian LTS: DLA-1796-1: jruby security update'","image_intro_alt":"'Debian LTS: DLA-1796-1: jruby security update'","image_fulltext_caption":"'Debian LTS: DLA-1796-1: jruby security update'","image_fulltext":"/images/distros-large/debianlts-large.png","image_intro":"/images/distros-large/debianlts-large.png","float_intro":"","float_fulltext":"/images/distros-large/debianlts-large.png","image_intro_caption":"'Debian LTS: DLA-1796-1: jruby security update'"} [urls] => [attribs] => [version] => 1 [ordering] => 1 [metakey] => [metadesc] => [access] => 1 [hits] => 580 [metadata] => Joomla\Registry\Registry Object ( [data:protected] => stdClass Object ( [robots] => [author] => [rights] => [xreference] => ) [initialized:protected] => 1 [separator] => . ) [featured] => 0 [language] => * [xreference] => [category_title] => Debian LTS [category_alias] => deblts [category_access] => 1 [author] => LinuxSecurity Advisories [parent_title] => ADVISORIES [parent_id] => 181 [parent_route] => advisories [parent_alias] => advisories [rating] => [rating_count] => [params] => Joomla\Registry\Registry Object ( [data:protected] => stdClass Object ( [article_layout] => _:default [show_title] => 1 [link_titles] => 1 [show_intro] => 1 [info_block_position] => 0 [info_block_show_title] => 1 [show_category] => 1 [link_category] => 1 [show_parent_category] => 0 [link_parent_category] => 0 [show_associations] => 0 [flags] => 1 [show_author] => 1 [link_author] => 0 [show_create_date] => 0 [show_modify_date] => 0 [show_publish_date] => 1 [show_item_navigation] => 1 [show_vote] => 0 [show_readmore] => 1 [show_readmore_title] => 1 [readmore_limit] => 100 [show_tags] => 1 [show_icons] => 1 [show_print_icon] => 1 [show_email_icon] => 0 [show_hits] => 1 [show_noauth] => 0 [urls_position] => 0 [captcha] => [show_publishing_options] => 1 [show_article_options] => 1 [save_history] => 1 [history_limit] => 10 [show_urls_images_frontend] => 0 [show_urls_images_backend] => 1 [targeta] => 0 [targetb] => 0 [targetc] => 0 [float_intro] => left [float_fulltext] => left [category_layout] => _:blog [show_category_heading_title_text] => 1 [show_category_title] => 0 [show_description] => 0 [show_description_image] => 0 [maxLevel] => 1 [show_empty_categories] => 0 [show_no_articles] => 1 [show_subcat_desc] => 1 [show_cat_num_articles] => 0 [show_cat_tags] => 1 [show_base_description] => 1 [maxLevelcat] => -1 [show_empty_categories_cat] => 0 [show_subcat_desc_cat] => 1 [show_cat_num_articles_cat] => 1 [num_leading_articles] => 0 [num_intro_articles] => 5 [num_columns] => 1 [num_links] => 4 [multi_column_order] => 0 [show_subcategory_content] => 0 [show_pagination_limit] => 1 [filter_field] => hide [show_headings] => 1 [list_show_date] => 0 [date_format] => [list_show_hits] => 1 [list_show_author] => 1 [orderby_pri] => alpha [orderby_sec] => rdate [order_date] => created [show_pagination] => 2 [show_pagination_results] => 1 [show_featured] => show [show_feed_link] => 1 [feed_summary] => 0 [feed_show_readmore] => 0 [sef_advanced] => 1 [sef_ids] => 1 [custom_fields_enable] => 0 [show_page_heading] => 0 [layout_type] => blog [menu_text] => 1 [menu_show] => 1 [secure] => 0 [menulayout] => {"width":600,"menuItem":1,"menuAlign":"right","layout":[{"type":"row","attr":[{"type":"column","colGrid":12,"menuParentId":"108","moduleId":""}]}]} [megamenu] => 0 [showmenutitle] => 1 [enable_page_title] => 0 [page_title] => Advisories [page_description] => LinuxSecurity.com is the community's central source for information on Linux and open source security. We follow the open source trends as they affect the community. We produce content that appeals to administrators, developers, home users, and security professionals. [page_rights] => [robots] => [access-view] => 1 ) [initialized:protected] => 1 [separator] => . ) [tagLayout] => Joomla\CMS\Layout\FileLayout Object ( [layoutId:protected] => joomla.content.tags [basePath:protected] => [fullPath:protected] => [includePaths:protected] => Array ( ) [options:protected] => Joomla\Registry\Registry Object ( [data:protected] => stdClass Object ( [component] => com_content [client] => 0 ) [initialized:protected] => [separator] => . ) [data:protected] => Array ( ) [debugMessages:protected] => Array ( ) ) [slug] => 268063:debian-lts-dla-1796-1-jruby-security-update [catslug] => 197:deblts [parent_slug] => 181:advisories [readmore_link] => /advisories/deblts/debian-lts-dla-1796-1-jruby-security-update [text] => Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language.
    
    Package        : jruby
    Version        : 1.5.6-9+deb8u1
    CVE ID         : CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076
                     CVE-2018-1000077 CVE-2018-1000078 CVE-2019-8321
                     CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325
    Debian Bug     : 895778 925987
    
    
    Multiple vulnerabilities have been discovered in jruby, Java
    implementation of the Ruby programming language.
    
    CVE-2018-1000074
    
        Deserialization of Untrusted Data vulnerability in owner command
        that can result in code execution. This attack appear to be
        exploitable via victim must run the `gem owner` command on a gem
        with a specially crafted YAML file
    
    CVE-2018-1000075
    
        an infinite loop caused by negative size vulnerability in ruby gem
        package tar header that can result in a negative size could cause an
        infinite loop
    
    CVE-2018-1000076
    
        Improper Verification of Cryptographic Signature vulnerability in
        package.rb that can result in a mis-signed gem could be installed,
        as the tarball would contain multiple gem signatures.
    
    CVE-2018-1000077
    
        Improper Input Validation vulnerability in ruby gems specification
        homepage attribute that can result in a malicious gem could set an
        invalid homepage URL
    
    CVE-2018-1000078
    
        Cross Site Scripting (XSS) vulnerability in gem server display of
        homepage attribute that can result in XSS. This attack appear to be
        exploitable via the victim must browse to a malicious gem on a
        vulnerable gem server
    
    CVE-2019-8321
    
        Gem::UserInteraction#verbose calls say without escaping, escape
        sequence injection is possible
    
    CVE-2019-8322
    
        The gem owner command outputs the contents of the API response
        directly to stdout. Therefore, if the response is crafted, escape
        sequence injection may occur
    
    CVE-2019-8323
    
        Gem::GemcutterUtilities#with_response may output the API response to
        stdout as it is. Therefore, if the API side modifies the response,
        escape sequence injection may occur.
    
    CVE-2019-8324
    
        A crafted gem with a multi-line name is not handled correctly.
        Therefore, an attacker could inject arbitrary code to the stub line
        of gemspec
    
    CVE-2019-8325
    
        Gem::CommandManager#run calls alert_error without escaping, escape
        sequence injection is possible. (There are many ways to cause an
        error.)
    
    For Debian 8 "Jessie", these problems have been fixed in version
    1.5.6-9+deb8u1.
    
    We recommend that you upgrade your jruby packages.
    
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://wiki.debian.org/LTS
    
    [tags] => Joomla\CMS\Helper\TagsHelper Object ( [tagsChanged:protected] => [replaceTags:protected] => [typeAlias] => [itemTags] => Array ( ) ) [jcfields] => Array ( ) [event] => stdClass Object ( [afterDisplayTitle] => [beforeDisplayContent] => ) [prev] => /advisories/deblts/debian-lts-dla-1801-1-zookeeper-security-update [next] => /advisories/deblts/debian-lts-dla-1797-1-drupal7-security-update [prev_label] => Prev [next_label] => Next [pagination] => [paginationposition] => 1 [paginationrelative] => 0 ) [params] => Joomla\Registry\Registry Object ( [data:protected] => stdClass Object ( [article_layout] => _:default [show_title] => 1 [link_titles] => 1 [show_intro] => 1 [info_block_position] => 0 [info_block_show_title] => 1 [show_category] => 1 [link_category] => 1 [show_parent_category] => 0 [link_parent_category] => 0 [show_associations] => 0 [flags] => 1 [show_author] => 1 [link_author] => 0 [show_create_date] => 0 [show_modify_date] => 0 [show_publish_date] => 1 [show_item_navigation] => 1 [show_vote] => 0 [show_readmore] => 1 [show_readmore_title] => 1 [readmore_limit] => 100 [show_tags] => 1 [show_icons] => 1 [show_print_icon] => 1 [show_email_icon] => 0 [show_hits] => 1 [show_noauth] => 0 [urls_position] => 0 [captcha] => [show_publishing_options] => 1 [show_article_options] => 1 [save_history] => 1 [history_limit] => 10 [show_urls_images_frontend] => 0 [show_urls_images_backend] => 1 [targeta] => 0 [targetb] => 0 [targetc] => 0 [float_intro] => left [float_fulltext] => left [category_layout] => _:blog [show_category_heading_title_text] => 1 [show_category_title] => 0 [show_description] => 0 [show_description_image] => 0 [maxLevel] => 1 [show_empty_categories] => 0 [show_no_articles] => 1 [show_subcat_desc] => 1 [show_cat_num_articles] => 0 [show_cat_tags] => 1 [show_base_description] => 1 [maxLevelcat] => -1 [show_empty_categories_cat] => 0 [show_subcat_desc_cat] => 1 [show_cat_num_articles_cat] => 1 [num_leading_articles] => 0 [num_intro_articles] => 5 [num_columns] => 1 [num_links] => 4 [multi_column_order] => 0 [show_subcategory_content] => 0 [show_pagination_limit] => 1 [filter_field] => hide [show_headings] => 1 [list_show_date] => 0 [date_format] => [list_show_hits] => 1 [list_show_author] => 1 [orderby_pri] => alpha [orderby_sec] => rdate [order_date] => created [show_pagination] => 2 [show_pagination_results] => 1 [show_featured] => show [show_feed_link] => 1 [feed_summary] => 0 [feed_show_readmore] => 0 [sef_advanced] => 1 [sef_ids] => 1 [custom_fields_enable] => 0 [show_page_heading] => 0 [layout_type] => blog [menu_text] => 1 [menu_show] => 1 [secure] => 0 [menulayout] => {"width":600,"menuItem":1,"menuAlign":"right","layout":[{"type":"row","attr":[{"type":"column","colGrid":12,"menuParentId":"108","moduleId":""}]}]} [megamenu] => 0 [showmenutitle] => 1 [enable_page_title] => 0 [page_title] => Advisories [page_description] => LinuxSecurity.com is the community's central source for information on Linux and open source security. We follow the open source trends as they affect the community. We produce content that appeals to administrators, developers, home users, and security professionals. [page_rights] => [robots] => [access-view] => 1 ) [initialized:protected] => 1 [separator] => . ) ) [config] => Joomla\Registry\Registry Object ( [data:protected] => stdClass Object ( [basic] => stdClass Object ( [include_categories] => 1 [categories] => Array ( [0] => 179 [1] => 171 [2] => 84 [3] => 83 [4] => 82 [5] => 81 [6] => 80 [7] => 79 [8] => 78 [9] => 77 [10] => 76 [11] => 75 [12] => 74 [13] => 73 [14] => 72 [15] => 69 [16] => 67 [17] => 178 [18] => 181 [19] => 87 [20] => 89 [21] => 91 [22] => 98 [23] => 99 [24] => 100 [25] => 172 [26] => 197 [27] => 198 [28] => 199 [29] => 200 [30] => 182 [31] => 159 [32] => 102 [33] => 183 [34] => 157 [35] => 156 [36] => 184 [37] => 107 [38] => 106 [39] => 105 [40] => 104 [41] => 103 [42] => 185 [43] => 186 [44] => 108 [45] => 187 [46] => 160 [47] => 166 [48] => 169 [49] => 161 [50] => 167 [51] => 162 [52] => 163 [53] => 188 [54] => 170 [55] => 189 [56] => 196 ) [exclude_content_items] => Array ( ) [disable_additional_comments] => Array ( ) ) [security] => stdClass Object ( [authorised_users] => Array ( [0] => 6 [1] => 7 [2] => 2 [3] => 3 [4] => 4 [5] => 5 [6] => 8 ) [auto_publish] => 1 [notify_moderators] => 0 [moderators] => Array ( [0] => 8 ) [captcha] => 1 [captcha_type] => default [maxlength_text] => 30000 ) [layout] => stdClass Object ( [tree] => 1 [sort] => 0 [comments_per_page] => 10 [support_ubb] => 1 [support_pictures] => 0 [pictures_maxwidth] => 200 [voting_visible] => 1 [date_format] => age [show_readon] => 1 [menu_readon] => 0 [intro_only] => 0 [emoticon_pack] => modern ) [template] => stdClass Object ( [template] => default ) [template_params] => stdClass Object ( [emulate_bootstrap] => 1 [minify_scripts] => 0 [notify_users] => 1 [pagination_position] => 0 [form_position] => 1 [form_avatar] => 1 [form_ubb] => 1 [required_user] => 1 [required_email] => 1 [show_rss] => 1 [show_search] => 1 [preview_visible] => 1 [preview_length] => 80 [preview_lines] => 10 ) [integrations] => stdClass Object ( [gravatar] => 1 [support_profiles] => 0 ) [global] => stdClass Object ( [censorship_word_list] => Array ( ) ) ) [initialized:protected] => 1 [separator] => . [id] => 1 [component] => com_content ) [count] => 0 [contentId] => 268063 [component] => com_content [allowedToPost] => [discussionClosed] => [emoticons] => Array ( [:angry:] => /media/com_comment/emoticons/modern/images/Angry.gif [:angry-red:] => /media/com_comment/emoticons/modern/images/Angry-Red.gif [:evil:] => /media/com_comment/emoticons/modern/images/Evil-Toothy.gif [:idea:] => /media/com_comment/emoticons/modern/images/Idea.gif [:love:] => /media/com_comment/emoticons/modern/images/Love.gif [:x] => /media/com_comment/emoticons/modern/images/Mad.gif [:no-comments:] => /media/com_comment/emoticons/modern/images/No-Comments.gif [:ooo:] => /media/com_comment/emoticons/modern/images/Oooo.gif [:pirate:] => /media/com_comment/emoticons/modern/images/Pirate.gif [:?:] => /media/com_comment/emoticons/modern/images/Question.gif [:(] => /media/com_comment/emoticons/modern/images/Sad.gif [:sleep:] => /media/com_comment/emoticons/modern/images/Sleeping.gif [:)] => /media/com_comment/emoticons/modern/images/Smile.gif [,)] => /media/com_comment/emoticons/modern/images/Wink.gif [,))] => /media/com_comment/emoticons/modern/images/Wink-2.gif [:0] => /media/com_comment/emoticons/modern/images/Wooo.gif ) [customfieldsForm] => Joomla\CMS\Form\Form Object ( [data:protected] => Joomla\Registry\Registry Object ( [data:protected] => stdClass Object ( ) [initialized:protected] => [separator] => . ) [errors:protected] => Array ( ) [name:protected] => customfields [options:protected] => Array ( [control] => jform ) [xml:protected] => SimpleXMLElement Object ( [fields] => SimpleXMLElement Object ( [@attributes] => Array ( [name] => customfields ) ) ) [repeat] => ) )

    Comments powered by CComment

    LinuxSecurity Poll

    Have you used our RSS feeds?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    21
    radio
    [{"id":"77","title":"Yes, for articles","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"78","title":"Yes, for advisories","votes":"1","type":"x","order":"2","pct":33.33,"resources":[]},{"id":"79","title":"Hybrid that contains both","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"80","title":"No","votes":"2","type":"x","order":"4","pct":66.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.