Bug#1014818: jruby: CVE-2021-31810 CVE-2021-32066

Tue Jul 12 14:03:38 BST 2022

Source: jruby
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for jruby.

CVE-2021-31810[0]:
| An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3,
| and 3.x through 3.0.1. A malicious FTP server can use the PASV
| response to trick Net::FTP into connecting back to a given IP address
| and port. This potentially makes curl extract information about
| services that are otherwise private and not disclosed (e.g., the
| attacker can conduct port scans and service banner extractions).

This also affects the gems bundled with jruby:
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
https://github.com/ruby/ruby/commit/3ca1399150ed4eacfd2fe1ee251b966f8d1ee469 (2.7)

CVE-2021-32066[1]:
| An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3,
| and 3.x through 3.0.1. Net::IMAP does not raise an exception when
| StartTLS fails with an an unknown response, which might allow man-in-
| the-middle attackers to bypass the TLS protections by leveraging a
| network position between the client and the registry to block the
| StartTLS command, aka a "StartTLS stripping attack."

This also affects the gems bundled with jruby:
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a (2.7)

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-31810
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31810
[1] https://security-tracker.debian.org/tracker/CVE-2021-32066
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32066

Please adjust the affected versions in the BTS as needed.