Malware Devil

Loading...

Monday, August 17, 2020

ESB-2020.2823 – [Debian] jruby: Multiple vulnerabilities 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2823
                           jruby security update
                              17 August 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           jruby
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Delete Arbitrary Files          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-16255 CVE-2019-16254 CVE-2019-16201
                   CVE-2019-8325 CVE-2019-8324 CVE-2019-8323
                   CVE-2019-8322 CVE-2019-8321 CVE-2019-8320
                   CVE-2017-17742  

Reference:         ESB-2020.2243
                   ESB-2020.1852
                   ESB-2020.1016
                   ESB-2019.4696
                   ESB-2019.4477

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2330-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                                     
August 16, 2020                               https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : jruby
Version        : 1.7.26-1+deb9u2
CVE ID         : CVE-2017-17742 CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 
                 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 CVE-2019-16201 
                 CVE-2019-16254 CVE-2019-16255
Debian Bug     : 925987

Several vulnerabilities were fixed in JRuby,
a 100% pure-Java implementation of Ruby.

CVE-2017-17742
CVE-2019-16254

    HTTP Response Splitting attacks in the HTTP server of WEBrick.

CVE-2019-16201

    Regular Expression Denial of Service vulnerability of WEBrick's 
    Digest access authentication.

CVE-2019-8320

    Delete directory using symlink when decompressing tar.

CVE-2019-8321

    Escape sequence injection vulnerability in verbose.

CVE-2019-8322

    Escape sequence injection vulnerability in gem owner.

CVE-2019-8323

    Escape sequence injection vulnerability in API response handling.

CVE-2019-8324

    Installing a malicious gem may lead to arbitrary code execution.

CVE-2019-8325

    Escape sequence injection vulnerability in errors.

CVE-2019-16255

    Code injection vulnerability of Shell#[] and Shell#test.

For Debian 9 stretch, these problems have been fixed in version
1.7.26-1+deb9u2.

We recommend that you upgrade your jruby packages.

For the detailed security status of jruby please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jruby

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl85MOcACgkQiNJCh6LY
mLHXlg/+I80rdmvGGOG8v9e2Es2A93psdBdrVEPysWMA1t8qjGrRRSmdIy5IL73e
ROmqCJuqcXzzHqXnHmGSp7YPMDbYe3JEk2ipF/lZB3Vzo8ya+lfBNQDM0TDWPRdg
wS5ROTCgOUaLJYRdOcmje+R3Ip3GKX9rSUk50IhxWsa8MsmeMqf08IXowaoSFB/b
b3ubdBlJoX7s1P3o1taAZ6gAZ7x+FTfug7N9RCXH+4QiybFu8vX87DMWSBq7BViq
ROxhw5bmUTrI9JI/L+SA10JZzFcB+IIvtPdDJqpzTwGGC+8naLSFaVzLFntjBtAo
FklrLr8pba9giXN49DADGGgkGjNEdED0gJvFaWczCCHxcwiNCfURyTtX1OHwflOW
LXkQnLXIDakNqlOXh3RJfnhw/w7R4bbWi8w22dgI510txtQr80X8LFxiURi9sp3b
HutHMO+2gHgg8EabaNpF1Z3i+vM6yLyiqd7BPv0qYkiA0dS4+0WCc0oaHEDKjktS
hv+l17RukeENFb5DpKYD2Srg8CIEewpPuR9UPdI+fA/V2s45V5q3aN5Ug4KfYcex
v46NqTFhmLBgCyNwoB6CFFSkStcJpddeO0HUrb+DZeITJIhvsI+tEtlB9/66CPJa
KlPBzfTg8v9ika4iUGyztFWmr3awiC7/VDc5F8juDNQzAvJm0LE=
=SiAb
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXzoVbuNLKJtyKPYoAQjAfw/+LTgvxuJ/59FbxDo6m9wN1o5hZu8FKIyU
n0rbxIQK06hFSkT9AT9zltwVvNyysQYksndRPXr7C1p19Ab27hnMnSq2WmQAQW/Q
NSmU2BSiI236VuZ55LKhW1RVzE9oW/SEG9Q9HYQmTlVWs/PAZuPLMvL2HTV0YtO2
Zg7toE7tRE0MRRffCXmMKvOnlqe+Knf47tDve8b5xa7zvsE39RGYIx08SxIhTN1f
kHswajUetDaD4BVXPaZvtIcnfBU814UnRozg1YB54f8Yzk6f9ckTRVLCBixW3aMy
xMjI7P6zSxuwC6gQWf8vCpYsM2frPJv0FjfRFWJ/fEeqFTZ8ICl7pIiBTLovheuO
xf6sTdDIsUey06ojH8MlEMRj0ol4zu00pZo5rLc4oDBdSDO5IPxKh+5u84tBaoC9
OofoCEKhbbQADoNY9nI8FRdnQBOjx1XC3utKJzVjsE2Uda45CIfIR/haLB9ls1/9
686OSRP2nMr/LS4TRDLW0h4ucuG+ZKyRIAwrCm22Z9p1gJHQrNqYlK/KhkgjafHW
k1PJmVzlwX8d3CJwbHEn+XY6swJR+ornz0lGmQdDdEgRMx+WKcXuY/jOw7g5htWC
VZxPKZko219FwKxBgYex59q8GVtAZ/6/l+SBsiST+4RB6GXyjsy7XEAk6t2EV2xl
dSEsvEcJTlg=
=vgYU
-----END PGP SIGNATURE-----

Read More



https://www.malwaredevil.com/2020/08/17/esb-2020-2823-debian-jruby-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2823-debian-jruby-multiple-vulnerabilities
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...