Source: jruby X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerabilities were published for jruby. CVE-2021-31810[0]: | An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, | and 3.x through 3.0.1. A malicious FTP server can use the PASV | response to trick Net::FTP into connecting back to a given IP address | and port. This potentially makes curl extract information about | services that are otherwise private and not disclosed (e.g., the | attacker can conduct port scans and service banner extractions). This also affects the gems bundled with jruby: https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/ https://github.com/ruby/ruby/commit/3ca1399150ed4eacfd2fe1ee251b966f8d1ee469 (2.7) CVE-2021-32066[1]: | An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, | and 3.x through 3.0.1. Net::IMAP does not raise an exception when | StartTLS fails with an an unknown response, which might allow man-in- | the-middle attackers to bypass the TLS protections by leveraging a | network position between the client and the registry to block the | StartTLS command, aka a "StartTLS stripping attack." This also affects the gems bundled with jruby: https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/ https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a (2.7) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-31810 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31810 [1] https://security-tracker.debian.org/tracker/CVE-2021-32066 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32066 Please adjust the affected versions in the BTS as needed. __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
