Debian 10: DLA-3408-1 High: JRuby HTTP Attack Mitigations
debian lts
April 30, 2023
Several vulnerabilities were fixed in JRuby, a Java implementation of the Ruby programming language
Summary
CVE-2017-17742
CVE-2019-16254
HTTP Response Splitting attacks in the HTTP server of WEBrick.
CVE-2019-16201
Regular Expression Denial of Service vulnerability of WEBrick's
Digest access authentication.
CVE-2019-16255
Code injection vulnerability of Shell#[] and Shell#test.
CVE-2020-25613
HTTP Request Smuggling attack in WEBrick.
CVE-2021-31810
Trusting FTP PASV responses vulnerability in Net::FTP.
CVE-2021-32066
Net::IMAP did not raise an exception when StartTLS fails with an an
unknown response.
CVE-2023-28755
Quadratic backtracking on invalid URI.
CVE-2023-28756
The Time parser mishandled invalid strings that have specific characters.
For Debian 10 buster, these problems have been fixed in version
9.1.17.0-3+deb10u1.
We recommend that you upgrade your jruby packages.
For the detailed security status of jruby please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/jruby
PREVIOUS
NEXT
Package: jruby
Version: 9.1.17.0-3+deb10u1
CVE ID: CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255
Debian Bug: 972230 1014818
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!