Package: jruby X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for jruby. Apparently rubygems is embedded into jruby which makes it vulnerable to. CVE-2018-1000079[0]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Directory Traversal vulnerability in gem installation that can result | in the gem could write to arbitrary filesystem locations during | installation. This attack appear to be exploitable via the victim must | install a malicious gem. This vulnerability appears to have been fixed | in 2.7.6. CVE-2018-1000078[1]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Cross Site Scripting (XSS) vulnerability in gem server display of | homepage attribute that can result in XSS. This attack appear to be | exploitable via the victim must browse to a malicious gem on a | vulnerable gem server. This vulnerability appears to have been fixed | in 2.7.6. CVE-2018-1000077[2]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Improper Input Validation vulnerability in ruby gems specification | homepage attribute that can result in a malicious gem could set an | invalid homepage URL. This vulnerability appears to have been fixed in | 2.7.6. CVE-2018-1000076[3]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Improper Verification of Cryptographic Signature vulnerability in | package.rb that can result in a mis-signed gem could be installed, as | the tarball would contain multiple gem signatures.. This vulnerability | appears to have been fixed in 2.7.6. CVE-2018-1000075[4]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | infinite loop caused by negative size vulnerability in ruby gem | package tar header that can result in a negative size could cause an | infinite loop.. This vulnerability appears to have been fixed in | 2.7.6. CVE-2018-1000074[5]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Deserialization of Untrusted Data vulnerability in owner command that | can result in code execution. This attack appear to be exploitable via | victim must run the `gem owner` command on a gem with a specially | crafted YAML file. This vulnerability appears to have been fixed in | 2.7.6. CVE-2018-1000073[6]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Directory Traversal vulnerability in install_location function of | package.rb that can result in path traversal when writing to a | symlinked basedir outside of the root. This vulnerability appears to | have been fixed in 2.7.6. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1000079 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000079 [1] https://security-tracker.debian.org/tracker/CVE-2018-1000078 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000078 [2] https://security-tracker.debian.org/tracker/CVE-2018-1000077 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000077 [3] https://security-tracker.debian.org/tracker/CVE-2018-1000076 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000076 [4] https://security-tracker.debian.org/tracker/CVE-2018-1000075 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000075 [5] https://security-tracker.debian.org/tracker/CVE-2018-1000074 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000074 [6] https://security-tracker.debian.org/tracker/CVE-2018-1000073 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000073 Please adjust the affected versions in the BTS as needed. Regards, Markus
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.