DLA-3408-1

Source

https://storage.googleapis.com/debian-osv/dla-osv/DLA-3408-1.json

Published

2023-04-30T00:00:00Z

Modified

2023-06-28T06:21:29.474200Z

Details

Several vulnerabilities were fixed in JRuby, a Java implementation of the Ruby programming language.

CVE-2017-17742 CVE-2019-16254 HTTP Response Splitting attacks in the HTTP server of WEBrick.
CVE-2019-16201 Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication.
CVE-2019-16255 Code injection vulnerability.
CVE-2020-25613 HTTP Request Smuggling attack in WEBrick.
CVE-2021-31810 Trusting FTP PASV responses vulnerability in Net::FTP.
CVE-2021-32066 Net::IMAP did not raise an exception when StartTLS fails with an an unknown response.
CVE-2023-28755 Quadratic backtracking on invalid URI.
CVE-2023-28756 The Time parser mishandled invalid strings that have specific characters.

For Debian 10 buster, these problems have been fixed in version 9.1.17.0-3+deb10u1.

We recommend that you upgrade your jruby packages.

For the detailed security status of jruby please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jruby

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

References

https://www.debian.org/lts/security/2023/dla-3408

Affected packages

Debian:10 / jruby

Source Details

Package Name: jruby

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

9.1.17.0-3+deb10u1

Affected versions

9.*

9.1.17.0-3