MGASA-2020-0440 - Updated jruby packages fix security vulnerabilities

Publication date: 27 Nov 2020
URL: https://advisories.mageia.org/MGASA-2020-0440.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2017-17742,
     CVE-2019-8320,
     CVE-2019-8321,
     CVE-2019-8322,
     CVE-2019-8323,
     CVE-2019-8324,
     CVE-2019-8325,
     CVE-2019-16201,
     CVE-2019-16254,
     CVE-2019-16255,
     CVE-2020-25613

Response Splitting attack in the HTTP server of WEBrick (CVE-2017-17742).

Delete directory using symlink when decompressing tar (CVE-2019-8320).

Escape sequence injection vulnerability in verbose (CVE-2019-8321).

Escape sequence injection vulnerability in gem owner (CVE-2019-8322).

Escape sequence injection vulnerability in API response handling (CVE-2019-8323).

Installing a malicious gem may lead to arbitrary code execution
(CVE-2019-8324).

Escape sequence injection vulnerability in errors (CVE-2019-8325).

Regular Expression Denial of Service vulnerability of WEBrick's Digest access
authentication (CVE-2019-16201).

HTTP Response Splitting attack in the HTTP server of WEBrick (CVE-2019-16254).

Code injection vulnerability (CVE-2019-16255).

A potential HTTP request smuggling vulnerability in WEBrick was reported.
WEBrick (bundled along with jruby) was too tolerant against an invalid
Transfer-Encoding header. This may lead to inconsistent interpretation between
WEBrick and some HTTP proxy servers, which may allow the attacker to "smuggle"
a request (CVE-2020-25613).

References:
- https://bugs.mageia.org/show_bug.cgi?id=27402
- https://www.debian.org/lts/security/2020/dla-2330
- https://www.debian.org/lts/security/2020/dla-2392
- https://bugs.mageia.org/show_bug.cgi?id=25875
- https://bugs.mageia.org/show_bug.cgi?id=27402
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25613

SRPMS:
- 7/core/jruby-1.7.22-7.2.mga7