Updated jruby packages fix security vulnerabilities
Publication date: 27 Nov 2020Modification date: 27 Nov 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2017-17742 , CVE-2019-8320 , CVE-2019-8321 , CVE-2019-8322 , CVE-2019-8323 , CVE-2019-8324 , CVE-2019-8325 , CVE-2019-16201 , CVE-2019-16254 , CVE-2019-16255 , CVE-2020-25613
Description
Response Splitting attack in the HTTP server of WEBrick (CVE-2017-17742). Delete directory using symlink when decompressing tar (CVE-2019-8320). Escape sequence injection vulnerability in verbose (CVE-2019-8321). Escape sequence injection vulnerability in gem owner (CVE-2019-8322). Escape sequence injection vulnerability in API response handling (CVE-2019-8323). Installing a malicious gem may lead to arbitrary code execution (CVE-2019-8324). Escape sequence injection vulnerability in errors (CVE-2019-8325). Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication (CVE-2019-16201). HTTP Response Splitting attack in the HTTP server of WEBrick (CVE-2019-16254). Code injection vulnerability (CVE-2019-16255). A potential HTTP request smuggling vulnerability in WEBrick was reported. WEBrick (bundled along with jruby) was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to "smuggle" a request (CVE-2020-25613).
References
- https://bugs.mageia.org/show_bug.cgi?id=27402
- https://www.debian.org/lts/security/2020/dla-2330
- https://www.debian.org/lts/security/2020/dla-2392
- https://bugs.mageia.org/show_bug.cgi?id=25875
- https://bugs.mageia.org/show_bug.cgi?id=27402
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25613
SRPMS
7/core
- jruby-1.7.22-7.2.mga7