Mageia 7 MGASA-2020-0440 Critical: Jruby Escape Sequence Issues
mageia
November 27, 2020
Response Splitting attack in the HTTP server of WEBrick (CVE-2017-17742)
Summary
Response Splitting attack in the HTTP server of WEBrick (CVE-2017-17742).
Delete directory using symlink when decompressing tar (CVE-2019-8320).
Escape sequence injection vulnerability in verbose (CVE-2019-8321).
Escape sequence injection vulnerability in gem owner (CVE-2019-8322).
Escape sequence injection vulnerability in API response handling (CVE-2019-8323).
Installing a malicious gem may lead to arbitrary code execution
(CVE-2019-8324).
Escape sequence injection vulnerability in errors (CVE-2019-8325).
Regular Expression Denial of Service vulnerability of WEBrick's Digest access
authentication (CVE-2019-16201).
HTTP Response Splitting attack in the HTTP server of WEBrick (CVE-2019-16254).
Code injection vulnerability (CVE-2019-16255).
A potential HTTP request smuggling vulnerability in WEBrick was reported.
WEBrick (bundled along with jruby) was too tolerant against an invalid
Transfer-Encoding header. This may lead to inconsistent interpretation between
WEBrick and some HTTP p...
References
- https://bugs.mageia.org/show_bug.cgi?id=27402
- https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00003.html
- https://bugs.mageia.org/show_bug.cgi?id=25875
- https://bugs.mageia.org/show_bug.cgi?id=27402
- https://www.cve.org/CVERecord?id=CVE-2017-17742
- https://www.cve.org/CVERecord?id=CVE-2019-8320
- https://www.cve.org/CVERecord?id=CVE-2019-8321
- https://www.cve.org/CVERecord?id=CVE-2019-8322
- https://www.cve.org/CVERecord?id=CVE-2019-8323
- https://www.cve.org/CVERecord?id=CVE-2019-8324
- https://www.cve.org/CVERecord?id=CVE-2019-8325
- https://www.cve.org/CVERecord?id=CVE-2019-16201
- https://www.cve.org/CVERecord?id=CVE-2019-16254
- https://www.cve.org/CVERecord?id=CVE-2019-16255
- https://www.cve.org/CVERecord?id=CVE-2020-25613
Resolution
SRPMS
- 7/core/jruby-1.7.22-7.2.mga7
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 27 Nov 2020
URL: https://advisories.mageia.org/MGASA-2020-0440.html
Type: security
CVE: CVE-2017-17742,
CVE-2019-8320,
CVE-2019-8321,
CVE-2019-8322,
CVE-2019-8323,
CVE-2019-8324,
CVE-2019-8325,
CVE-2019-16201,
CVE-2019-16254,
CVE-2019-16255,
CVE-2020-25613
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!