Advisories ยป MGASA-2020-0440

Updated jruby packages fix security vulnerabilities

Publication date: 27 Nov 2020
Modification date: 27 Nov 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2017-17742 , CVE-2019-8320 , CVE-2019-8321 , CVE-2019-8322 , CVE-2019-8323 , CVE-2019-8324 , CVE-2019-8325 , CVE-2019-16201 , CVE-2019-16254 , CVE-2019-16255 , CVE-2020-25613

Description

Response Splitting attack in the HTTP server of WEBrick (CVE-2017-17742).

Delete directory using symlink when decompressing tar (CVE-2019-8320).

Escape sequence injection vulnerability in verbose (CVE-2019-8321).

Escape sequence injection vulnerability in gem owner (CVE-2019-8322).

Escape sequence injection vulnerability in API response handling (CVE-2019-8323).

Installing a malicious gem may lead to arbitrary code execution
(CVE-2019-8324).

Escape sequence injection vulnerability in errors (CVE-2019-8325).

Regular Expression Denial of Service vulnerability of WEBrick's Digest access
authentication (CVE-2019-16201).

HTTP Response Splitting attack in the HTTP server of WEBrick (CVE-2019-16254).

Code injection vulnerability (CVE-2019-16255).

A potential HTTP request smuggling vulnerability in WEBrick was reported.
WEBrick (bundled along with jruby) was too tolerant against an invalid
Transfer-Encoding header. This may lead to inconsistent interpretation between
WEBrick and some HTTP proxy servers, which may allow the attacker to "smuggle"
a request (CVE-2020-25613).

References

SRPMS

7/core