[Git][security-tracker-team/security-tracker][master] Reserve DLA-3408-1 for jruby

Adrian Bunk (@bunk) bunk at debian.org
Sun Apr 30 21:50:19 BST 2023



Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
99bcda02 by Adrian Bunk at 2023-04-30T23:50:03+03:00
Reserve DLA-3408-1 for jruby

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -148340,7 +148340,6 @@ CVE-2021-32066 (An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7
 	- ruby2.5 <removed>
 	- ruby2.3 <removed>
 	- jruby 9.3.9.0+ds-1 (bug #1014818)
-	[buster] - jruby <no-dsa> (Minor issue)
 	[stretch] - jruby <no-dsa> (Minor issue)
 	NOTE: https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
 	NOTE: https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a (2.7)
@@ -149273,7 +149272,6 @@ CVE-2021-31810 (An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7
 	- ruby2.5 <removed>
 	- ruby2.3 <removed>
 	- jruby 9.3.9.0+ds-1 (bug #1014818)
-	[buster] - jruby <no-dsa> (Minor issue)
 	[stretch] - jruby <no-dsa> (Minor issue)
 	NOTE: https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
 	NOTE: https://github.com/ruby/ruby/commit/3ca1399150ed4eacfd2fe1ee251b966f8d1ee469 (2.7)
@@ -197106,7 +197104,6 @@ CVE-2020-25613 (An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6
 	[buster] - ruby2.5 2.5.5-3+deb10u3
 	- ruby2.3 <removed>
 	- jruby 9.3.9.0+ds-1 (bug #972230)
-	[buster] - jruby <no-dsa> (Minor issue)
 	NOTE: https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
 	NOTE: Fix in webrick: https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7
 CVE-2020-25612 (The NuPoint Messenger of Mitel MiCollab before 9.2 could allow an atta ...)
@@ -270157,7 +270154,6 @@ CVE-2019-16255 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4
 	- ruby2.3 <removed>
 	- ruby2.1 <removed>
 	- jruby 9.3.9.0+ds-1 (bug #972230)
-	[buster] - jruby <no-dsa> (Minor issue)
 	NOTE: https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
 	NOTE: ruby2.5: https://github.com/ruby/ruby/commit/3af01ae1101e0b8815ae5a106be64b0e82a58640
 CVE-2019-16254 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allow ...)
@@ -270166,7 +270162,6 @@ CVE-2019-16254 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4
 	- ruby2.3 <removed>
 	- ruby2.1 <removed>
 	- jruby 9.3.9.0+ds-1 (bug #972230)
-	[buster] - jruby <no-dsa> (Minor issue)
 	NOTE: https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc
 	NOTE: https://hackerone.com/reports/331984
 	NOTE: https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
@@ -270358,7 +270353,6 @@ CVE-2019-16201 (WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x throu
 	- ruby2.3 <removed>
 	- ruby2.1 <removed>
 	- jruby 9.3.9.0+ds-1 (bug #972230)
-	[buster] - jruby <no-dsa> (Minor issue)
 	NOTE: https://github.com/ruby/ruby/commit/36e057e26ef2104bc2349799d6c52d22bb1c7d03
 	NOTE: https://hackerone.com/reports/661722
 	NOTE: https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
@@ -363220,7 +363214,6 @@ CVE-2017-17743 (Improper input sanitization within the restricted administration
 CVE-2017-17742 (Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x befo ...)
 	{DSA-4259-1 DLA-2330-1 DLA-2027-1 DLA-1421-1 DLA-1359-1 DLA-1358-1}
 	- jruby 9.3.9.0+ds-1 (bug #972230)
-	[buster] - jruby <no-dsa> (Minor issue)
 	- ruby2.5 2.5.1-1
 	- ruby2.3 <removed>
 	- ruby2.1 <removed>


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[30 Apr 2023] DLA-3408-1 jruby - security update
+	{CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-25613 CVE-2021-31810 CVE-2021-32066 CVE-2023-28755 CVE-2023-28756}
+	[buster] - jruby 9.1.17.0-3+deb10u1
 [30 Apr 2023] DLA-3407-1 jackson-databind - security update
 	{CVE-2020-10650}
 	[buster] - jackson-databind 2.9.8-3+deb10u5


=====================================
data/dla-needed.txt
=====================================
@@ -88,11 +88,6 @@ hdf5
   NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably
   NOTE: 20230318: sync w/ him. (utkarsh)
 --
-jruby (Adrian Bunk)
-  NOTE: 20230403: Programming language: Ruby, Java, C.
-  NOTE: 20230403: Special attention: Not in bullseye
-  NOTE: 20230403: Lots of postponed issues that were fixed in other ruby* packages (Beuc/front-desk)
---
 libapache2-mod-auth-openidc (Adrian Bunk)
   NOTE: 20230404: Programming language: C.
   NOTE: 20230404: CVE-2019-20479 fixed in all other dists (including DLA-2298-1 for stretch)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99bcda0283c1df4b754d8b43dd4f7b1e5b5a1de0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99bcda0283c1df4b754d8b43dd4f7b1e5b5a1de0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230430/8abc09cf/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list