MGASA-2020-0440

See a problem?
Please try reporting it to the source first.
Source
https://advisories.mageia.org/MGASA-2020-0440.html
Import Source
https://advisories.mageia.org/MGASA-2020-0440.json
JSON Data
https://api.test.osv.dev/v1/vulns/MGASA-2020-0440
Related
Published
2020-11-27T20:14:57Z
Modified
2020-11-27T19:37:07Z
Summary
Updated jruby packages fix security vulnerabilities
Details

Response Splitting attack in the HTTP server of WEBrick (CVE-2017-17742).

Delete directory using symlink when decompressing tar (CVE-2019-8320).

Escape sequence injection vulnerability in verbose (CVE-2019-8321).

Escape sequence injection vulnerability in gem owner (CVE-2019-8322).

Escape sequence injection vulnerability in API response handling (CVE-2019-8323).

Installing a malicious gem may lead to arbitrary code execution (CVE-2019-8324).

Escape sequence injection vulnerability in errors (CVE-2019-8325).

Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication (CVE-2019-16201).

HTTP Response Splitting attack in the HTTP server of WEBrick (CVE-2019-16254).

Code injection vulnerability (CVE-2019-16255).

A potential HTTP request smuggling vulnerability in WEBrick was reported. WEBrick (bundled along with jruby) was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to "smuggle" a request (CVE-2020-25613).

References
Credits

Affected packages

Mageia:7 / jruby

Package

Name
jruby
Purl
pkg:rpm/mageia/jruby?distro=mageia-7

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.22-7.2.mga7

Ecosystem specific 

{
    "section": "core"
}