Bug 23158

Summary: jruby new security issues CVE-2018-100007[3-9]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, geiger.david68210, mageia, pterjan, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: jruby-1.7.22-5.mga6.src.rpm CVE:
Status comment:
Attachments: Script for testing JavaSwing in jruby - does not work
A number of very basic tests of jruby.
Summary of jruby tests including some code snippets, all at a very basic level.

Description David Walser 2018-06-08 22:15:48 CEST 
Debian has issued an advisory today (June 8):
https://www.debian.org/security/2018/dsa-4219

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-06-08 22:15:57 CEST

Whiteboard: (none) => MGA6TOO

Nicolas Lécureuil 2019-01-03 01:27:19 CET

CC: (none) => mageia, pterjan

David Walser 2019-02-03 01:41:21 CET

Status comment: (none) => Patches available from Debian

Comment 1 David GEIGER 2019-02-03 21:02:30 CET 
Fixed both Cauldron and mga6!

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-02-03 21:33:51 CET 
Advisory:
========================

Updated jruby packages fix security vulnerabilities:

Several vulnerabilities were discovered in jruby. They would allow an attacker
to use specially crafted gem files to mount cross-site scripting attacks, cause
denial of service through an infinite loop, write arbitrary files, or run
malicious code (CVE-2018-1000073, CVE-2018-1000074, CVE-2018-1000075,
CVE-2018-1000076, CVE-2018-1000077, CVE-2018-1000078, CVE-2018-1000079).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000075
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000076
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000079
https://www.debian.org/security/2018/dsa-4219
========================

Updated packages in core/updates_testing:
========================
jruby-1.7.22-5.1.mga6
jruby-devel-1.7.22-5.1.mga6
jruby-javadoc-1.7.22-5.1.mga6

from jruby-1.7.22-5.1.mga6.src.rpm

Version: Cauldron => 6
Assignee: java => qa-bugs
Status comment: Patches available from Debian => (none)
Whiteboard: MGA6TOO => (none)

Comment 3 Len Lawrence 2019-02-04 10:54:43 CET 
Created attachment 10727 [details]
Script for testing JavaSwing in jruby - does not work

Refers to java.lang.boolean
Not found in jruby.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2019-02-04 16:28:24 CET 
mga6, x86_64

$ jruby -v
jruby 1.7.22 (1.9.3p551) 2017-05-17 fffffff on OpenJDK 64-Bit Server VM 1.8.0_191-b12 +jit [linux-amd64]

Updated the packages.

Same version of jruby but package is 1.7.22-5.1.

Sampled some tutorials.  Attaching the report because it is tedious reading for a mailing list.  The upshot is that the updated jruby continues to work as far as I can see.  Nothing to stop it going out.

Whiteboard: (none) => MGA6-64-OK

Comment 5 Len Lawrence 2019-02-04 16:30:58 CET 
Created attachment 10729 [details]
A number of very basic tests of jruby.

$ jruby tutorial.rb
Comment 6 Len Lawrence 2019-02-04 16:35:24 CET 
Created attachment 10730 [details]
Summary of  jruby tests including some code snippets, all at a very basic level.
Len Lawrence 2019-02-08 09:03:34 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2019-02-13 03:35:28 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2019-02-13 12:10:20 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0062.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED