Bug#686867: jruby: CVE-2011-4838
tony mancill
tmancill at debian.org
Thu Sep 20 04:16:51 UTC 2012
On 09/18/2012 03:17 PM, Moritz Mühlenhoff wrote:
> tags 686867 patch
> thanks
>
> On Thu, Sep 06, 2012 at 10:03:58PM +0200, Moritz Muehlenhoff wrote:
>> Package: jruby
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> Hi,
>> jruby in Wheezy is still affected by http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4838
>> http://www.nruns.com/_downloads/advisory28122011.pdf >
>> Since Wheezy already has 1.6.5, updating to 1.6.5.1 seems like a good idea?
>
> Wheezy has 1.5.6, not 1.6.5.
>
> Anyway, I've extracted the patch, it's attached.
>
> Cheers,
> Moritz
Hello Moritz,
Thank you for attaching the patch. I have it applying cleanly and am in
the process of preparing an upload. However, currently the jruby
package is FTBFS due to an issue with one of its build-deps, nailgun,
which is installing a bad symlink.
> $ ls -al /usr/share/java/nailgun*
> -rw-r--r-- 1 root root 25607 Jul 18 22:54 /usr/share/java/nailgun-0.9.0.jar
> -rw-r--r-- 1 root root 7048 Jul 18 22:54 /usr/share/java/nailgun-examples-0.9.0.jar
> lrwxrwxrwx 1 root root 17 Jul 18 22:54 /usr/share/java/nailgun.jar -> nailgun-0.7.1.jar
Anyway, that's a separate bug. Just wanted to comment that this bug is
being worked on.
Cheers,
tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20120919/c267b6da/attachment.pgp>
More information about the pkg-java-maintainers
mailing list