Mageia 2020-0440: jruby security update
Mageia 2020-0440: jruby security update
Response Splitting attack in the HTTP server of WEBrick (CVE-2017-17742). Delete directory using symlink when decompressing tar (CVE-2019-8320). Escape sequence injection vulnerability in verbose (CVE-2019-8321).
MGASA-2020-0440 - Updated jruby packages fix security vulnerabilities Publication date: 27 Nov 2020 URL: https://advisories.mageia.org/MGASA-2020-0440.html Type: security Affected Mageia releases: 7 CVE: CVE-2017-17742, CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255, CVE-2020-25613 Response Splitting attack in the HTTP server of WEBrick (CVE-2017-17742). Delete directory using symlink when decompressing tar (CVE-2019-8320). Escape sequence injection vulnerability in verbose (CVE-2019-8321). Escape sequence injection vulnerability in gem owner (CVE-2019-8322). Escape sequence injection vulnerability in API response handling (CVE-2019-8323). Installing a malicious gem may lead to arbitrary code execution (CVE-2019-8324). Escape sequence injection vulnerability in errors (CVE-2019-8325). Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication (CVE-2019-16201). HTTP Response Splitting attack in the HTTP server of WEBrick (CVE-2019-16254). Code injection vulnerability (CVE-2019-16255). A potential HTTP request smuggling vulnerability in WEBrick was reported. WEBrick (bundled along with jruby) was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to "smuggle" a request (CVE-2020-25613). References: - https://bugs.mageia.org/show_bug.cgi?id=27402 - https://www.debian.org/lts/security/2020/dla-2330 - https://www.debian.org/lts/security/2020/dla-2392 - https://bugs.mageia.org/show_bug.cgi?id=25875 - https://bugs.mageia.org/show_bug.cgi?id=27402 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25613 SRPMS: - 7/core/jruby-1.7.22-7.2.mga7