[Git][security-tracker-team/security-tracker][master] Reserve DLA-3408-1 for jruby
Adrian Bunk (@bunk)
bunk at debian.org
Sun Apr 30 21:50:19 BST 2023
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker
Commits:
99bcda02 by Adrian Bunk at 2023-04-30T23:50:03+03:00
Reserve DLA-3408-1 for jruby
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -148340,7 +148340,6 @@ CVE-2021-32066 (An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7
- ruby2.5 <removed>
- ruby2.3 <removed>
- jruby 9.3.9.0+ds-1 (bug #1014818)
- [buster] - jruby <no-dsa> (Minor issue)
[stretch] - jruby <no-dsa> (Minor issue)
NOTE: https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
NOTE: https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a (2.7)
@@ -149273,7 +149272,6 @@ CVE-2021-31810 (An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7
- ruby2.5 <removed>
- ruby2.3 <removed>
- jruby 9.3.9.0+ds-1 (bug #1014818)
- [buster] - jruby <no-dsa> (Minor issue)
[stretch] - jruby <no-dsa> (Minor issue)
NOTE: https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
NOTE: https://github.com/ruby/ruby/commit/3ca1399150ed4eacfd2fe1ee251b966f8d1ee469 (2.7)
@@ -197106,7 +197104,6 @@ CVE-2020-25613 (An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6
[buster] - ruby2.5 2.5.5-3+deb10u3
- ruby2.3 <removed>
- jruby 9.3.9.0+ds-1 (bug #972230)
- [buster] - jruby <no-dsa> (Minor issue)
NOTE: https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
NOTE: Fix in webrick: https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7
CVE-2020-25612 (The NuPoint Messenger of Mitel MiCollab before 9.2 could allow an atta ...)
@@ -270157,7 +270154,6 @@ CVE-2019-16255 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4
- ruby2.3 <removed>
- ruby2.1 <removed>
- jruby 9.3.9.0+ds-1 (bug #972230)
- [buster] - jruby <no-dsa> (Minor issue)
NOTE: https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
NOTE: ruby2.5: https://github.com/ruby/ruby/commit/3af01ae1101e0b8815ae5a106be64b0e82a58640
CVE-2019-16254 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allow ...)
@@ -270166,7 +270162,6 @@ CVE-2019-16254 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4
- ruby2.3 <removed>
- ruby2.1 <removed>
- jruby 9.3.9.0+ds-1 (bug #972230)
- [buster] - jruby <no-dsa> (Minor issue)
NOTE: https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc
NOTE: https://hackerone.com/reports/331984
NOTE: https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
@@ -270358,7 +270353,6 @@ CVE-2019-16201 (WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x throu
- ruby2.3 <removed>
- ruby2.1 <removed>
- jruby 9.3.9.0+ds-1 (bug #972230)
- [buster] - jruby <no-dsa> (Minor issue)
NOTE: https://github.com/ruby/ruby/commit/36e057e26ef2104bc2349799d6c52d22bb1c7d03
NOTE: https://hackerone.com/reports/661722
NOTE: https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
@@ -363220,7 +363214,6 @@ CVE-2017-17743 (Improper input sanitization within the restricted administration
CVE-2017-17742 (Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x befo ...)
{DSA-4259-1 DLA-2330-1 DLA-2027-1 DLA-1421-1 DLA-1359-1 DLA-1358-1}
- jruby 9.3.9.0+ds-1 (bug #972230)
- [buster] - jruby <no-dsa> (Minor issue)
- ruby2.5 2.5.1-1
- ruby2.3 <removed>
- ruby2.1 <removed>
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[30 Apr 2023] DLA-3408-1 jruby - security update
+ {CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-25613 CVE-2021-31810 CVE-2021-32066 CVE-2023-28755 CVE-2023-28756}
+ [buster] - jruby 9.1.17.0-3+deb10u1
[30 Apr 2023] DLA-3407-1 jackson-databind - security update
{CVE-2020-10650}
[buster] - jackson-databind 2.9.8-3+deb10u5
=====================================
data/dla-needed.txt
=====================================
@@ -88,11 +88,6 @@ hdf5
NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably
NOTE: 20230318: sync w/ him. (utkarsh)
--
-jruby (Adrian Bunk)
- NOTE: 20230403: Programming language: Ruby, Java, C.
- NOTE: 20230403: Special attention: Not in bullseye
- NOTE: 20230403: Lots of postponed issues that were fixed in other ruby* packages (Beuc/front-desk)
---
libapache2-mod-auth-openidc (Adrian Bunk)
NOTE: 20230404: Programming language: C.
NOTE: 20230404: CVE-2019-20479 fixed in all other dists (including DLA-2298-1 for stretch)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99bcda0283c1df4b754d8b43dd4f7b1e5b5a1de0
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99bcda0283c1df4b754d8b43dd4f7b1e5b5a1de0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230430/8abc09cf/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list