Bug 23158 - jruby new security issues CVE-2018-100007[3-9]
Summary: jruby new security issues CVE-2018-100007[3-9]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-08 22:15 CEST by David Walser
Modified: 2019-02-13 12:10 CET (History)
6 users (show)

See Also:
Source RPM: jruby-1.7.22-5.mga6.src.rpm
CVE:
Status comment:


Attachments
Script for testing JavaSwing in jruby - does not work (1.17 KB, application/x-ruby)
2019-02-04 10:54 CET, Len Lawrence
Details
A number of very basic tests of jruby. (1.49 KB, application/x-ruby)
2019-02-04 16:30 CET, Len Lawrence
Details
Summary of jruby tests including some code snippets, all at a very basic level. (2.71 KB, text/plain)
2019-02-04 16:35 CET, Len Lawrence
Details

Description David Walser 2018-06-08 22:15:48 CEST
Debian has issued an advisory today (June 8):
https://www.debian.org/security/2018/dsa-4219

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-06-08 22:15:57 CEST

Whiteboard: (none) => MGA6TOO

Nicolas Lécureuil 2019-01-03 01:27:19 CET

CC: (none) => mageia, pterjan

David Walser 2019-02-03 01:41:21 CET

Status comment: (none) => Patches available from Debian

Comment 1 David GEIGER 2019-02-03 21:02:30 CET
Fixed both Cauldron and mga6!

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-02-03 21:33:51 CET
Advisory:
========================

Updated jruby packages fix security vulnerabilities:

Several vulnerabilities were discovered in jruby. They would allow an attacker
to use specially crafted gem files to mount cross-site scripting attacks, cause
denial of service through an infinite loop, write arbitrary files, or run
malicious code (CVE-2018-1000073, CVE-2018-1000074, CVE-2018-1000075,
CVE-2018-1000076, CVE-2018-1000077, CVE-2018-1000078, CVE-2018-1000079).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000075
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000076
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000079
https://www.debian.org/security/2018/dsa-4219
========================

Updated packages in core/updates_testing:
========================
jruby-1.7.22-5.1.mga6
jruby-devel-1.7.22-5.1.mga6
jruby-javadoc-1.7.22-5.1.mga6

from jruby-1.7.22-5.1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Status comment: Patches available from Debian => (none)
Assignee: java => qa-bugs
Version: Cauldron => 6

Comment 3 Len Lawrence 2019-02-04 10:54:43 CET
Created attachment 10727 [details]
Script for testing JavaSwing in jruby - does not work

Refers to java.lang.boolean
Not found in jruby.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2019-02-04 16:28:24 CET
mga6, x86_64

$ jruby -v
jruby 1.7.22 (1.9.3p551) 2017-05-17 fffffff on OpenJDK 64-Bit Server VM 1.8.0_191-b12 +jit [linux-amd64]

Updated the packages.

Same version of jruby but package is 1.7.22-5.1.

Sampled some tutorials.  Attaching the report because it is tedious reading for a mailing list.  The upshot is that the updated jruby continues to work as far as I can see.  Nothing to stop it going out.

Whiteboard: (none) => MGA6-64-OK

Comment 5 Len Lawrence 2019-02-04 16:30:58 CET
Created attachment 10729 [details]
A number of very basic tests of jruby.

$ jruby tutorial.rb
Comment 6 Len Lawrence 2019-02-04 16:35:24 CET
Created attachment 10730 [details]
Summary of  jruby tests including some code snippets, all at a very basic level.
Len Lawrence 2019-02-08 09:03:34 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2019-02-13 03:35:28 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2019-02-13 12:10:20 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0062.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.