-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : jruby Version : 1.5.6-9+deb8u1 CVE ID : CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 Debian Bug : 895778 925987
Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language. CVE-2018-1000074 Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file CVE-2018-1000075 an infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop CVE-2018-1000076 Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures. CVE-2018-1000077 Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL CVE-2018-1000078 Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server CVE-2019-8321 Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible CVE-2019-8322 The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur CVE-2019-8323 Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. CVE-2019-8324 A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec CVE-2019-8325 Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) For Debian 8 "Jessie", these problems have been fixed in version 1.5.6-9+deb8u1. We recommend that you upgrade your jruby packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlziikEACgkQhj1N8u2c KO8hvw/+KPOQ1N0UqHx7z8JMzaxNpUShpK2x5F/A2VCJIYdcyp8TPT2lg5hnn6gr 83JZx/ipfC8pnw+Hac/BrR9fDp2yhqYBn0K5KAtf23gBXsRX2miXMTMP9Ijqd/M0 SjJE9zt1itE2JuUWkmnqWgnpiQEzH1Eat+1etIzolfRF9PMpj6Sw9y68qE+FGBMN cRB0+3KF2OuDGP6YDiARLyo0rOiAEepzD/mukO2Qgzand/xBDlam3IrVPtCUJArS ADTG694QWEVaZ+TmjZuC7YBnDvNeG2Pbk9R8m+DQPuFeIAhSxD/PmfhQENxQsSIe FE9tqy714X9jtZR5XmKaUtFa+l7Th85EHWVtBXhNmJYy5S9TQGk+VJWwK8I48Wyx nhgZ/UiFLFflRvDax0kLyox1zsol8qdUvCOhyDQTTmkH/LvtnkGtOMoBw4Uj/4fn KSUE46lXQEzyDhv8FO3f0B9C5l1PPP9DGrByAgxoBB8D26PO3wQSlJcjrk6nD+vZ lvTfW5KLZiFE/GlSKJxyo+wVK9tkqktufN+XeuJLM2Rop5lF4t8My9JXIbGs7wNX UzhFv5FJ3MGiFMO+3apEgn0D6djocanE16FCNtcezaIwlvuA1waId0JzKpjRrAdg lYNQK+nyQOOaRhW7boG3WNqo/XRrtU2tFXd0UHygHf2oDrk4vlA= =+mOK -----END PGP SIGNATURE-----