Debian Security Advisory
DLA-209-1 jruby -- LTS security update
- Date Reported:
- 29 Apr 2015
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 686867.
In Mitre's CVE dictionary: CVE-2011-4838.
- More information:
JRuby before 18.104.22.168 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. Note: This update includes corrections to the original fix for later Debian releases to avoid the issues identified in CVE-2012-5370.