Debian Security Advisory

DLA-1796-1 jruby -- LTS security update

Date Reported:
21 May 2019
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 895778, Bug 925987.
In Mitre's CVE dictionary: CVE-2018-1000074, CVE-2018-1000075, CVE-2018-1000076, CVE-2018-1000077, CVE-2018-1000078, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325.
More information:

Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language.

  • CVE-2018-1000074

    Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file

  • CVE-2018-1000075

    an infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop

  • CVE-2018-1000076

    Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.

  • CVE-2018-1000077

    Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL

  • CVE-2018-1000078

    Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server

  • CVE-2019-8321

    Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible

  • CVE-2019-8322

    The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur

  • CVE-2019-8323

    Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.

  • CVE-2019-8324

    A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec

  • CVE-2019-8325

    Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)

For Debian 8 Jessie, these problems have been fixed in version 1.5.6-9+deb8u1.

We recommend that you upgrade your jruby packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: