Debian Security Advisory

DLA-209-1 jruby -- LTS security update

Date Reported:
29 Apr 2015
Affected Packages:
jruby
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 686867.
In Mitre's CVE dictionary: CVE-2011-4838.
More information:

JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. Note: This update includes corrections to the original fix for later Debian releases to avoid the issues identified in CVE-2012-5370.