Debian Security Advisory
DLA-1796-1 jruby -- LTS security update
- Date Reported:
- 21 May 2019
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 895778, Bug 925987.
In Mitre's CVE dictionary: CVE-2018-1000074, CVE-2018-1000075, CVE-2018-1000076, CVE-2018-1000077, CVE-2018-1000078, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325.
- More information:
Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language.
Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file
an infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop
Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.
Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL
Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server
Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible
The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur
Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec
Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)
For Debian 8
Jessie, these problems have been fixed in version 1.5.6-9+deb8u1.
We recommend that you upgrade your jruby packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS