Your message dated Sat, 03 Dec 2022 20:46:19 +0000
with message-id <[email protected]>
and subject line Bug#1014818: fixed in jruby 9.3.9.0+ds-1
has caused the Debian Bug report #1014818,
regarding jruby: CVE-2021-31810 CVE-2021-32066
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1014818: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014818
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jruby
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for jruby.
CVE-2021-31810[0]:
| An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3,
| and 3.x through 3.0.1. A malicious FTP server can use the PASV
| response to trick Net::FTP into connecting back to a given IP address
| and port. This potentially makes curl extract information about
| services that are otherwise private and not disclosed (e.g., the
| attacker can conduct port scans and service banner extractions).
This also affects the gems bundled with jruby:
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
https://github.com/ruby/ruby/commit/3ca1399150ed4eacfd2fe1ee251b966f8d1ee469
(2.7)
CVE-2021-32066[1]:
| An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3,
| and 3.x through 3.0.1. Net::IMAP does not raise an exception when
| StartTLS fails with an an unknown response, which might allow man-in-
| the-middle attackers to bypass the TLS protections by leveraging a
| network position between the client and the registry to block the
| StartTLS command, aka a "StartTLS stripping attack."
This also affects the gems bundled with jruby:
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a
(2.7)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-31810
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31810
[1] https://security-tracker.debian.org/tracker/CVE-2021-32066
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32066
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: jruby
Source-Version: 9.3.9.0+ds-1
Done: Jérôme Charaoui <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jruby, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jérôme Charaoui <[email protected]> (supplier of updated jruby package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 03 Dec 2022 12:32:59 -0500
Source: jruby
Architecture: source
Version: 9.3.9.0+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Jérôme Charaoui <[email protected]>
Closes: 895837 922682 960247 1014818
Changes:
jruby (9.3.9.0+ds-1) unstable; urgency=medium
.
* New upstream release incorporating security fixes for CVE-2021-31810
CVE-2021-32066 (Closes: #895837, #1014818)
* From this release onwards, JRuby no longer loads any C Ruby shared system
libraries, and instead bundles a set of Ruby 2.6-compatible gems in a pair
of orig-source tarballs. See d/README.source for details.
(Closes: #922682, #960247)
* Updated d/copyright for latest release and new components
* Repacked source to exclude prebuilt Windows binaries
* d/control:
- Dropped C Ruby shared system libs from Build-Deps
- Dropped jruby-openssl from Build-Deps, now bundled via orig-source gem
- Dropped upstream deprecated Build-Deps: libbytelist-java,
libmodulator-java, libunsafe-fences-java, libunsafe-mock-java, nailgun
- Dropped redundant Build-Dep: libjnr-x86asm-java
+ Added minimum versions for invokebinder and jffi Build-Deps
+ Added myself to Uploaders
+ Flagged testsuite-related Build-Deps with !nocheck
+ Bumped Standards-Version to 4.6.1, no changes needed
+ Added Rules-Requires-Root: no
* d/patches:
- Dropped LOAD_PATH jruby patch fully
+ Rebased patches for new upstream version
+ Added several patches for testsuite fixes and workarounds
* d/rules:
+ Added get-orig-source target to pull upstream tarball and generate
tarballs containing the required gems
+ Added execute_before_dh_auto_configure target to install ruby gems into
the jruby source tree prior to subsequent build and test targets, and
replace gem-bundled jars by those shipped in Debian packages
- Streamlined build and test targets to avoid unnecessary maven invocations
- Scaled down testing scope to java tests during build to focus unit and
integration testing in new autopkgtests
+ Fixed bin script shebangs not to use /usr/bin/env
+ Patched out code for loading bundled jars in readline and psych gems
+ Removed or replaced bundled fonts in documentation
* Updated maven rules and ignoreRules, cleaned up empty mavenhelper files
* Updated d/watch
* Added d/upstream/metadata
* Added autopkgtests
* Fixed typos in manpages
Checksums-Sha1:
492e8405a780c6cf09761d7aa576e235ba590fab 2874 jruby_9.3.9.0+ds-1.dsc
c1018767194fbb2979d77ad8f14011ec2d74ba3a 12637736
jruby_9.3.9.0+ds.orig-rubygems-default.tar.xz
86876ddc3e0d0acbe5d37b6a6a4cd3f51c48a0bd 5334168 jruby_9.3.9.0+ds.orig.tar.xz
5c6d0b9d94e14f5a496325269d529fbc018359ce 37712 jruby_9.3.9.0+ds-1.debian.tar.xz
74dd4eac4af9f242d2797e5f541dfe3861d38a77 16241
jruby_9.3.9.0+ds-1_amd64.buildinfo
Checksums-Sha256:
c566ef66d00f2811160e866c236dc519fc37f40f1803e041bdd24f2d72a25cbd 2874
jruby_9.3.9.0+ds-1.dsc
d207feac4f3479529b2394c765455d3114d86cc2844707cd958fb897b361b235 12637736
jruby_9.3.9.0+ds.orig-rubygems-default.tar.xz
f826c30426bb15bbe5be8d7290f48474d9e2833a521b5b9a01fca43cb3780997 5334168
jruby_9.3.9.0+ds.orig.tar.xz
27d25f1a393a4bad171acddbe796f527f8470ceb31945cf05f95546638f229f1 37712
jruby_9.3.9.0+ds-1.debian.tar.xz
1b1a4bf3cbcccd0332d4d59e3da9babf773b2fd03b1fc6dbc1d4d82b1741eb78 16241
jruby_9.3.9.0+ds-1_amd64.buildinfo
Files:
970d050bb7043ac79e96f92f73a77b78 2874 ruby optional jruby_9.3.9.0+ds-1.dsc
7eca75a64f78892b7cd6e5d87afb0731 12637736 ruby optional
jruby_9.3.9.0+ds.orig-rubygems-default.tar.xz
9e38d1a2dbcd7c2accc07156732b6737 5334168 ruby optional
jruby_9.3.9.0+ds.orig.tar.xz
a7e4943d1b5e861e81d75025a7b48c7e 37712 ruby optional
jruby_9.3.9.0+ds-1.debian.tar.xz
6de8754ca3a0b5937659cf93906fa792 16241 ruby optional
jruby_9.3.9.0+ds-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQTAq04Rv2xblqv/eu5pxS9ljpiFQgUCY4uwjAAKCRBpxS9ljpiF
Qit2AP0aVFR/cFJ5LPaiXCQYM+2TW8qb9WztUl2811HjMKzd+wD+LahHcNjQPlZi
i2K0pLEXWFGkitd/W51DxUfCqJ2fKAw=
=a8yr
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
