Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1805 [DLA 1796-1] jruby security update 21 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: jruby Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-8325 CVE-2019-8324 CVE-2019-8323 CVE-2019-8322 CVE-2019-8321 CVE-2018-1000078 CVE-2018-1000077 CVE-2018-1000076 CVE-2018-1000075 CVE-2018-1000074 Reference: ESB-2019.1739 ESB-2019.1674 ESB-2019.1314 ESB-2019.1252 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : jruby Version : 1.5.6-9+deb8u1 CVE ID : CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 Debian Bug : 895778 925987 Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language. CVE-2018-1000074 Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file CVE-2018-1000075 an infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop CVE-2018-1000076 Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures. CVE-2018-1000077 Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL CVE-2018-1000078 Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server CVE-2019-8321 Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible CVE-2019-8322 The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur CVE-2019-8323 Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. CVE-2019-8324 A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec CVE-2019-8325 Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) For Debian 8 "Jessie", these problems have been fixed in version 1.5.6-9+deb8u1. We recommend that you upgrade your jruby packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlziikEACgkQhj1N8u2c KO8hvw/+KPOQ1N0UqHx7z8JMzaxNpUShpK2x5F/A2VCJIYdcyp8TPT2lg5hnn6gr 83JZx/ipfC8pnw+Hac/BrR9fDp2yhqYBn0K5KAtf23gBXsRX2miXMTMP9Ijqd/M0 SjJE9zt1itE2JuUWkmnqWgnpiQEzH1Eat+1etIzolfRF9PMpj6Sw9y68qE+FGBMN cRB0+3KF2OuDGP6YDiARLyo0rOiAEepzD/mukO2Qgzand/xBDlam3IrVPtCUJArS ADTG694QWEVaZ+TmjZuC7YBnDvNeG2Pbk9R8m+DQPuFeIAhSxD/PmfhQENxQsSIe FE9tqy714X9jtZR5XmKaUtFa+l7Th85EHWVtBXhNmJYy5S9TQGk+VJWwK8I48Wyx nhgZ/UiFLFflRvDax0kLyox1zsol8qdUvCOhyDQTTmkH/LvtnkGtOMoBw4Uj/4fn KSUE46lXQEzyDhv8FO3f0B9C5l1PPP9DGrByAgxoBB8D26PO3wQSlJcjrk6nD+vZ lvTfW5KLZiFE/GlSKJxyo+wVK9tkqktufN+XeuJLM2Rop5lF4t8My9JXIbGs7wNX UzhFv5FJ3MGiFMO+3apEgn0D6djocanE16FCNtcezaIwlvuA1waId0JzKpjRrAdg lYNQK+nyQOOaRhW7boG3WNqo/XRrtU2tFXd0UHygHf2oDrk4vlA= =+mOK - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXONL1WaOgq3Tt24GAQg/6A/8CYQK8QSnQfzG1uQvLLgoXj4UtyDE6/h4 nLn+vbPk4TAcPaCmrRLe8XttfbbYSjh0jq3vaWuJBjL+s0izuqNm1hXZmZRsQ3kl Hig282xmepFPXaZtEKaXGKbQ801zdM5sywN7MjIXOEctNwrNNNurO5xLim0qHTmJ 8tEaWjC+h0xhCrFlCYEoMz3atQ8g5XbRos6/rP7j8vo2QUkz9c/o3CGdhcWWFxSY XAIf34aVj9yReiP0Sl61yeGYwMO5xTcbYK0JHShTFR9D3F1psYrQUE05ZZ9F8ps7 TSBA7t8xMqGH3Hdi2sIvwsJ3bQmpVE+tXP/1T97iir9mNCwKpLjGPJUtbEWfxcQq ihT9b5E6zs7w+EosvsinVIeN5qQISC2eOcYzquYLzT+tz4aioj7s0Yu/AkrM9Y19 KfqiaUyLU1Zs4s7rVxdYkYD+0HH3NdUXFEi5TgzLSXEaYRpNzJhSj9xq7OgWKqHY knRjnrZojqVWHcZD4zR6oVwBOhaFSjupfiyLl8w3Zam1HMY7GDD8RuNYR24+wG89 HgUUshfRi8LkpwnqdqKEwsCaZpqOr+EoKQKeznYQN45bKTFhHN2geZAra+cneUb7 TMfQxcRPU0p1xSm4BDRcEo39JfMOkZx7Gh3Q9cjWFLVRl9Hl13O4epWAZBCEPJpY Kz7EneagyQ0= =Ppbq -----END PGP SIGNATURE-----