Debian LTS: DLA-3408-1: jruby security update
Summary
CVE-2017-17742
CVE-2019-16254
HTTP Response Splitting attacks in the HTTP server of WEBrick.
CVE-2019-16201
Regular Expression Denial of Service vulnerability of WEBrick's
Digest access authentication.
CVE-2019-16255
Code injection vulnerability of Shell#[] and Shell#test.
CVE-2020-25613
HTTP Request Smuggling attack in WEBrick.
CVE-2021-31810
Trusting FTP PASV responses vulnerability in Net::FTP.
CVE-2021-32066
Net::IMAP did not raise an exception when StartTLS fails with an an
unknown response.
CVE-2023-28755
Quadratic backtracking on invalid URI.
CVE-2023-28756
The Time parser mishandled invalid strings that have specific characters.
For Debian 10 buster, these problems have been fixed in version
9.1.17.0-3+deb10u1.
We recommend that you upgrade your jruby packages.
For the detailed security status of jruby please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/jruby
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS