- ------------------------------------------------------------------------- Debian LTS Advisory DLA-3408-1 [email protected] https://www.debian.org/lts/security/ Adrian Bunk April 30, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : jruby Version : 9.1.17.0-3+deb10u1 CVE ID : CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-25613 CVE-2021-31810 CVE-2021-32066 CVE-2023-28755 CVE-2023-28756 Debian Bug : 972230 1014818 Several vulnerabilities were fixed in JRuby, a Java implementation of the Ruby programming language. CVE-2017-17742 CVE-2019-16254 HTTP Response Splitting attacks in the HTTP server of WEBrick. CVE-2019-16201 Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication. CVE-2019-16255 Code injection vulnerability of Shell#[] and Shell#test. CVE-2020-25613 HTTP Request Smuggling attack in WEBrick. CVE-2021-31810 Trusting FTP PASV responses vulnerability in Net::FTP. CVE-2021-32066 Net::IMAP did not raise an exception when StartTLS fails with an an unknown response. CVE-2023-28755 Quadratic backtracking on invalid URI. CVE-2023-28756 The Time parser mishandled invalid strings that have specific characters. For Debian 10 buster, these problems have been fixed in version 9.1.17.0-3+deb10u1. We recommend that you upgrade your jruby packages. For the detailed security status of jruby please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jruby Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Debian LTS: DLA-3408-1: jruby security update
April 30, 2023
Several vulnerabilities were fixed in JRuby, a Java implementation of the Ruby programming language
Summary
CVE-2017-17742
CVE-2019-16254
HTTP Response Splitting attacks in the HTTP server of WEBrick.
CVE-2019-16201
Regular Expression Denial of Service vulnerability of WEBrick's
Digest access authentication.
CVE-2019-16255
Code injection vulnerability of Shell#[] and Shell#test.
CVE-2020-25613
HTTP Request Smuggling attack in WEBrick.
CVE-2021-31810
Trusting FTP PASV responses vulnerability in Net::FTP.
CVE-2021-32066
Net::IMAP did not raise an exception when StartTLS fails with an an
unknown response.
CVE-2023-28755
Quadratic backtracking on invalid URI.
CVE-2023-28756
The Time parser mishandled invalid strings that have specific characters.
For Debian 10 buster, these problems have been fixed in version
9.1.17.0-3+deb10u1.
We recommend that you upgrade your jruby packages.
For the detailed security status of jruby please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jruby
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Severity
Package : jruby
Version : 9.1.17.0-3+deb10u1
CVE ID : CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255
Debian Bug : 972230 1014818
News
HOWTOs
About Us
Powered By
