[SECURITY] [DLA 3408-1] jruby security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3408-1] jruby security update
From: Adrian Bunk <bunk@debian.org>
Date: Sun, 30 Apr 2023 23:58:08 +0300
Message-id: <[🔎] ZE7WYAhb887KfDh2@localhost>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3408-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
April 30, 2023                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : jruby
Version        : 9.1.17.0-3+deb10u1
CVE ID         : CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 
                 CVE-2020-25613 CVE-2021-31810 CVE-2021-32066 CVE-2023-28755 
                 CVE-2023-28756
Debian Bug     : 972230 1014818

Several vulnerabilities were fixed in JRuby, a Java implementation of 
the Ruby programming language.

CVE-2017-17742
CVE-2019-16254

    HTTP Response Splitting attacks in the HTTP server of WEBrick.

CVE-2019-16201

    Regular Expression Denial of Service vulnerability of WEBrick's 
    Digest access authentication.

CVE-2019-16255

    Code injection vulnerability of Shell#[] and Shell#test.

CVE-2020-25613

    HTTP Request Smuggling attack in WEBrick.

CVE-2021-31810

    Trusting FTP PASV responses vulnerability in Net::FTP.

CVE-2021-32066

    Net::IMAP did not raise an exception when StartTLS fails with an an 
    unknown response.

CVE-2023-28755

    Quadratic backtracking on invalid URI.

CVE-2023-28756

    The Time parser mishandled invalid strings that have specific characters.

For Debian 10 buster, these problems have been fixed in version
9.1.17.0-3+deb10u1.

We recommend that you upgrade your jruby packages.

For the detailed security status of jruby please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jruby

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmRO1mAACgkQiNJCh6LY
mLEQLRAAvxLEfO+mmRT5U57RfK6OG6r9lrHwkR1wjSkBhuvnQpoNs6npgT47xVdt
avPQYwwu9wL3Tb02NmlBKRmv1UWDo1xQTL8ows++4V1QakLnUsv1K84VSQkFCmBN
cWSQwIbXHYgL0HU/LqadlCmn8+NwAJJZLZ8/TCtokgAfiuEXKJIaywzHmA9iDwK3
SFvGA1lxKZo+xbNqJhsyIUxmi0ukn43dMiqxqoeMSuZPlaG9EBvyIXNN7ayktjfR
cnZDr7EaB/W+CjHWECXJkx2gPoRYNjb3CtxsVP7kBXxYyUZQ0dcDxJi+N2wabYic
GAsv8YPPqCzIYXjXsDI9IZop1zQ86XM2hu+64XN9eI56k+gev45376vFjlXIFeYA
P9JwmYS9h6Ru1kvqShFxHULpPMIOMFMakDmxtFuW3NyjG5GYlWvnYs7jTC7OYP0Y
vvBP3f35EtBsP+/ksVfLxH5e1jbk43lnD1poiJe8UzCB5maYRUSZ1/A8BgQN3lFc
AuZWnKwOcXrjtnD0wki1h6864Hte3BpvoLGa4DwQu6RJGrOuJoHy++aRI87UIcHZ
hRd3VDdXABGT3pZp+D2b5QDUrS1TtOaATfmQxAaAghV+i2JNrwT2PF477m3ecJ5c
pSGPmcH+5zF+9tVjQ+FmbmBs1r5nB8+U7gizq9D1ubvxuE0EuRs=
=6QoI
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3407-1] jackson-databind security update
Next by Date: [SECURITY] [DLA 3409-1] libapache2-mod-auth-openidc security update
Previous by thread: [SECURITY] [DLA 3407-1] jackson-databind security update
Next by thread: [SECURITY] [DLA 3409-1] libapache2-mod-auth-openidc security update
Index(es):
- Date
- Thread