Mageia 2020-0440: jruby security update
Summary
Response Splitting attack in the HTTP server of WEBrick (CVE-2017-17742).
Delete directory using symlink when decompressing tar (CVE-2019-8320).
Escape sequence injection vulnerability in verbose (CVE-2019-8321).
Escape sequence injection vulnerability in gem owner (CVE-2019-8322).
Escape sequence injection vulnerability in API response handling (CVE-2019-8323).
Installing a malicious gem may lead to arbitrary code execution
(CVE-2019-8324).
Escape sequence injection vulnerability in errors (CVE-2019-8325).
Regular Expression Denial of Service vulnerability of WEBrick's Digest access
authentication (CVE-2019-16201).
HTTP Response Splitting attack in the HTTP server of WEBrick (CVE-2019-16254).
Code injection vulnerability (CVE-2019-16255).
A potential HTTP request smuggling vulnerability in WEBrick was reported.
WEBrick (bundled along with jruby) was too tolerant against an invalid
Transfer-Encoding header. This may lead to inconsistent interpretation between
WEBrick and some HTTP proxy servers, which may allow the attacker to "smuggle"
a request (CVE-2020-25613).
References
- https://bugs.mageia.org/show_bug.cgi?id=27402
- https://www.debian.org/lts/security/2020/dla-2330
- https://www.debian.org/lts/security/2020/dla-2392
- https://bugs.mageia.org/show_bug.cgi?id=25875
- https://bugs.mageia.org/show_bug.cgi?id=27402
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25613
Resolution
MGASA-2020-0440 - Updated jruby packages fix security vulnerabilities
SRPMS
- 7/core/jruby-1.7.22-7.2.mga7