Bug#972230: CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-25613
Moritz Muehlenhoff
jmm at debian.org
Wed Oct 14 22:01:30 BST 2020
Package: jruby
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
jruby bundles various modules from the Ruby stdlib, which have been affected by
security issues:
CVE-2017-17742:
https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
https://github.com/ruby/ruby/commit/d9d4a28f1cdd05a0e8dabb36d747d40bbcc30f16
CVE-2019-16201
https://github.com/ruby/ruby/commit/36e057e26ef2104bc2349799d6c52d22bb1c7d03
https://hackerone.com/reports/661722
https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
CVE-2019-16254
https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc
https://hackerone.com/reports/331984
https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
CVE-2019-16255
https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
https://github.com/ruby/ruby/commit/3af01ae1101e0b8815ae5a106be64b0e82a58640
CVE-2020-25613
https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7
The root cause for all of this is #926280
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list