Package: jruby Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
jruby bundles various modules from the Ruby stdlib, which have been affected by security issues: CVE-2017-17742: https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/ https://github.com/ruby/ruby/commit/d9d4a28f1cdd05a0e8dabb36d747d40bbcc30f16 CVE-2019-16201 https://github.com/ruby/ruby/commit/36e057e26ef2104bc2349799d6c52d22bb1c7d03 https://hackerone.com/reports/661722 https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/ CVE-2019-16254 https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc https://hackerone.com/reports/331984 https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/ CVE-2019-16255 https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/ https://github.com/ruby/ruby/commit/3af01ae1101e0b8815ae5a106be64b0e82a58640 CVE-2020-25613 https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/ https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7 The root cause for all of this is #926280 Cheers, Moritz