Debian-LTS has issued an advisory on October 1:
Upstream advisory from Ruby:
Hi, thanks for reporting this bug.
Assigned to the package maintainer.
(Please set the status to 'assigned' if you are working on it)
Note that jruby-1.7.22-9.mga8 has been dropped in Cauldron.
All these CVE-2017-17742, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255 and CVE-2020-25613 are now applied in jruby-1.7.22-7.1.mga7
And now all these CVE-2019-832[0-5] applied in jruby-1.7.22-7.2.mga7
Updated jruby packages fix security vulnerabilities:
Response Splitting attack in the HTTP server of WEBrick (CVE-2017-17742).
Delete directory using symlink when decompressing tar (CVE-2019-8320).
Escape sequence injection vulnerability in verbose (CVE-2019-8321).
Escape sequence injection vulnerability in gem owner (CVE-2019-8322).
Escape sequence injection vulnerability in API response handling (CVE-2019-8323).
Installing a malicious gem may lead to arbitrary code execution
Escape sequence injection vulnerability in errors (CVE-2019-8325).
Regular Expression Denial of Service vulnerability of WEBrick's Digest access
HTTP Response Splitting attack in the HTTP server of WEBrick (CVE-2019-16254).
Code injection vulnerability (CVE-2019-16255).
A potential HTTP request smuggling vulnerability in WEBrick was reported.
WEBrick (bundled along with jruby) was too tolerant against an invalid
Transfer-Encoding header. This may lead to inconsistent interpretation between
WEBrick and some HTTP proxy servers, which may allow the attacker to "smuggle"
a request (CVE-2020-25613).
Updated packages in core/updates_testing:
Absolutely no knowledge of ruby, but I decided to forge ahead anyway.
Installed jruby, jruby-javadoc, and their dependencies from the repos, with no installation issues. Referenced Bug 23158 for testing procedures, and experimented until I learned how to get the simple examples Len Lawrence provided working.
Updated the jruby packages using QARepo. No installation issues. Ran the simple examples once more, and they all worked as expected.
Looks good to go to me. OKing and Validating. Advisory in Comment 5. Leaving it to others to take it from here.
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.