Debian has issued an advisory today (June 8): https://www.debian.org/security/2018/dsa-4219 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
CC: (none) => mageia, pterjan
Status comment: (none) => Patches available from Debian
Fixed both Cauldron and mga6!
CC: (none) => geiger.david68210
Advisory: ======================== Updated jruby packages fix security vulnerabilities: Several vulnerabilities were discovered in jruby. They would allow an attacker to use specially crafted gem files to mount cross-site scripting attacks, cause denial of service through an infinite loop, write arbitrary files, or run malicious code (CVE-2018-1000073, CVE-2018-1000074, CVE-2018-1000075, CVE-2018-1000076, CVE-2018-1000077, CVE-2018-1000078, CVE-2018-1000079). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000073 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000074 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000075 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000076 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000077 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000078 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000079 https://www.debian.org/security/2018/dsa-4219 ======================== Updated packages in core/updates_testing: ======================== jruby-1.7.22-5.1.mga6 jruby-devel-1.7.22-5.1.mga6 jruby-javadoc-1.7.22-5.1.mga6 from jruby-1.7.22-5.1.mga6.src.rpm
Version: Cauldron => 6Assignee: java => qa-bugsStatus comment: Patches available from Debian => (none)Whiteboard: MGA6TOO => (none)
Created attachment 10727 [details] Script for testing JavaSwing in jruby - does not work Refers to java.lang.boolean Not found in jruby.
CC: (none) => tarazed25
mga6, x86_64 $ jruby -v jruby 1.7.22 (1.9.3p551) 2017-05-17 fffffff on OpenJDK 64-Bit Server VM 1.8.0_191-b12 +jit [linux-amd64] Updated the packages. Same version of jruby but package is 1.7.22-5.1. Sampled some tutorials. Attaching the report because it is tedious reading for a mailing list. The upshot is that the updated jruby continues to work as far as I can see. Nothing to stop it going out.
Whiteboard: (none) => MGA6-64-OK
Created attachment 10729 [details] A number of very basic tests of jruby. $ jruby tutorial.rb
Created attachment 10730 [details] Summary of jruby tests including some code snippets, all at a very basic level.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0062.html
Status: NEW => RESOLVEDResolution: (none) => FIXED