Debian-LTS has issued an advisory on October 1: https://www.debian.org/lts/security/2020/dla-2392 Upstream advisory from Ruby: https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
CC: (none) => pterjanAssignee: bugsquad => pkg-bugsKeywords: (none) => Triaged
Note that jruby-1.7.22-9.mga8 has been dropped in Cauldron.
CC: (none) => ouaurelien
Assignee: pkg-bugs => java
Blocks: (none) => 25875
All these CVE-2017-17742, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255 and CVE-2020-25613 are now applied in jruby-1.7.22-7.1.mga7
CC: (none) => geiger.david68210
And now all these CVE-2019-832[0-5] applied in jruby-1.7.22-7.2.mga7
Advisory: ======================== Updated jruby packages fix security vulnerabilities: Response Splitting attack in the HTTP server of WEBrick (CVE-2017-17742). Delete directory using symlink when decompressing tar (CVE-2019-8320). Escape sequence injection vulnerability in verbose (CVE-2019-8321). Escape sequence injection vulnerability in gem owner (CVE-2019-8322). Escape sequence injection vulnerability in API response handling (CVE-2019-8323). Installing a malicious gem may lead to arbitrary code execution (CVE-2019-8324). Escape sequence injection vulnerability in errors (CVE-2019-8325). Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication (CVE-2019-16201). HTTP Response Splitting attack in the HTTP server of WEBrick (CVE-2019-16254). Code injection vulnerability (CVE-2019-16255). A potential HTTP request smuggling vulnerability in WEBrick was reported. WEBrick (bundled along with jruby) was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to "smuggle" a request (CVE-2020-25613). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25613 https://www.debian.org/lts/security/2020/dla-2330 https://www.debian.org/lts/security/2020/dla-2392 https://bugs.mageia.org/show_bug.cgi?id=25875 https://bugs.mageia.org/show_bug.cgi?id=27402 ======================== Updated packages in core/updates_testing: ======================== jruby-1.7.22-7.2.mga7 jruby-devel-1.7.22-7.2.mga7 jruby-javadoc-1.7.22-7.2.mga7 from jruby-1.7.22-7.2.mga7.src.rpm
Severity: normal => criticalAssignee: java => qa-bugs
Absolutely no knowledge of ruby, but I decided to forge ahead anyway. Installed jruby, jruby-javadoc, and their dependencies from the repos, with no installation issues. Referenced Bug 23158 for testing procedures, and experimented until I learned how to get the simple examples Len Lawrence provided working. Updated the jruby packages using QARepo. No installation issues. Ran the simple examples once more, and they all worked as expected. Looks good to go to me. OKing and Validating. Advisory in Comment 5. Leaving it to others to take it from here.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
Keywords: Triaged => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0440.html
Status: NEW => RESOLVEDResolution: (none) => FIXED