Debian Long Term Support / LTS Security Information / 2023 / Security Information -- DLA-3408-1 jruby

Debian Security Advisory

DLA-3408-1 jruby -- LTS security update

Date Reported:

30 Apr 2023

Affected Packages:

jruby

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 972230, Bug 1014818.
In Mitre's CVE dictionary: CVE-2017-17742, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255, CVE-2020-25613, CVE-2021-31810, CVE-2021-32066, CVE-2023-28755, CVE-2023-28756.

More information:

Several vulnerabilities were fixed in JRuby, a Java implementation of the Ruby programming language.

• CVE-2017-17742 CVE-2019-16254

  HTTP Response Splitting attacks in the HTTP server of WEBrick.

• CVE-2019-16201

  Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication.

• CVE-2019-16255

  Code injection vulnerability.

• CVE-2020-25613

  HTTP Request Smuggling attack in WEBrick.

• CVE-2021-31810

  Trusting FTP PASV responses vulnerability in Net::FTP.

• CVE-2021-32066

  Net::IMAP did not raise an exception when StartTLS fails with an an unknown response.

• CVE-2023-28755

  Quadratic backtracking on invalid URI.

• CVE-2023-28756

  The Time parser mishandled invalid strings that have specific characters.

For Debian 10 buster, these problems have been fixed in version 9.1.17.0-3+deb10u1.

We recommend that you upgrade your jruby packages.

For the detailed security status of jruby please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jruby

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS