Bug#972230: marked as done (CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-25613)

Debian Bug Tracking System Sat, 03 Dec 2022 16:09:30 -0800

Your message dated Sat, 3 Dec 2022 19:06:07 -0500
with message-id <[email protected]>
and subject line Re: CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 
CVE-2019-16255 CVE-2020-25613
has caused the Debian Bug report #972230,
regarding CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 
CVE-2020-25613
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
972230: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972230
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: jruby
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>

jruby bundles various modules from the Ruby stdlib, which have been affected by
security issues:

CVE-2017-17742:
https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
https://github.com/ruby/ruby/commit/d9d4a28f1cdd05a0e8dabb36d747d40bbcc30f16

CVE-2019-16201
https://github.com/ruby/ruby/commit/36e057e26ef2104bc2349799d6c52d22bb1c7d03
https://hackerone.com/reports/661722
https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
                
CVE-2019-16254
https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc
https://hackerone.com/reports/331984
https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
                
CVE-2019-16255
https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
https://github.com/ruby/ruby/commit/3af01ae1101e0b8815ae5a106be64b0e82a58640

CVE-2020-25613
https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7


The root cause for all of this is #926280

Cheers,
        Moritz

--- End Message ---

--- Begin Message ---
Hello,
These CVE IDs are been fixed with the upload of jruby 9.3.9.0+ds-1 inDebian:
CVE-2017-17742
CVE-2019-16201
CVE-2019-16254
CVE-2019-16255
CVE-2020-25613
These were marked as fixed in a previous changelog entry but Imistakenly made the upload without including it.
Thanks,

-- Jerome
--- End Message ---

Bug#972230: marked as done (CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-25613)

Reply via email to