Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1805
[DLA 1796-1] jruby security update
21 May 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: jruby
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-8325 CVE-2019-8324 CVE-2019-8323
CVE-2019-8322 CVE-2019-8321 CVE-2018-1000078
CVE-2018-1000077 CVE-2018-1000076 CVE-2018-1000075
CVE-2018-1000074
Reference: ESB-2019.1739
ESB-2019.1674
ESB-2019.1314
ESB-2019.1252
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : jruby
Version : 1.5.6-9+deb8u1
CVE ID : CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076
CVE-2018-1000077 CVE-2018-1000078 CVE-2019-8321
CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325
Debian Bug : 895778 925987
Multiple vulnerabilities have been discovered in jruby, Java
implementation of the Ruby programming language.
CVE-2018-1000074
Deserialization of Untrusted Data vulnerability in owner command
that can result in code execution. This attack appear to be
exploitable via victim must run the `gem owner` command on a gem
with a specially crafted YAML file
CVE-2018-1000075
an infinite loop caused by negative size vulnerability in ruby gem
package tar header that can result in a negative size could cause an
infinite loop
CVE-2018-1000076
Improper Verification of Cryptographic Signature vulnerability in
package.rb that can result in a mis-signed gem could be installed,
as the tarball would contain multiple gem signatures.
CVE-2018-1000077
Improper Input Validation vulnerability in ruby gems specification
homepage attribute that can result in a malicious gem could set an
invalid homepage URL
CVE-2018-1000078
Cross Site Scripting (XSS) vulnerability in gem server display of
homepage attribute that can result in XSS. This attack appear to be
exploitable via the victim must browse to a malicious gem on a
vulnerable gem server
CVE-2019-8321
Gem::UserInteraction#verbose calls say without escaping, escape
sequence injection is possible
CVE-2019-8322
The gem owner command outputs the contents of the API response
directly to stdout. Therefore, if the response is crafted, escape
sequence injection may occur
CVE-2019-8323
Gem::GemcutterUtilities#with_response may output the API response to
stdout as it is. Therefore, if the API side modifies the response,
escape sequence injection may occur.
CVE-2019-8324
A crafted gem with a multi-line name is not handled correctly.
Therefore, an attacker could inject arbitrary code to the stub line
of gemspec
CVE-2019-8325
Gem::CommandManager#run calls alert_error without escaping, escape
sequence injection is possible. (There are many ways to cause an
error.)
For Debian 8 "Jessie", these problems have been fixed in version
1.5.6-9+deb8u1.
We recommend that you upgrade your jruby packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlziikEACgkQhj1N8u2c
KO8hvw/+KPOQ1N0UqHx7z8JMzaxNpUShpK2x5F/A2VCJIYdcyp8TPT2lg5hnn6gr
83JZx/ipfC8pnw+Hac/BrR9fDp2yhqYBn0K5KAtf23gBXsRX2miXMTMP9Ijqd/M0
SjJE9zt1itE2JuUWkmnqWgnpiQEzH1Eat+1etIzolfRF9PMpj6Sw9y68qE+FGBMN
cRB0+3KF2OuDGP6YDiARLyo0rOiAEepzD/mukO2Qgzand/xBDlam3IrVPtCUJArS
ADTG694QWEVaZ+TmjZuC7YBnDvNeG2Pbk9R8m+DQPuFeIAhSxD/PmfhQENxQsSIe
FE9tqy714X9jtZR5XmKaUtFa+l7Th85EHWVtBXhNmJYy5S9TQGk+VJWwK8I48Wyx
nhgZ/UiFLFflRvDax0kLyox1zsol8qdUvCOhyDQTTmkH/LvtnkGtOMoBw4Uj/4fn
KSUE46lXQEzyDhv8FO3f0B9C5l1PPP9DGrByAgxoBB8D26PO3wQSlJcjrk6nD+vZ
lvTfW5KLZiFE/GlSKJxyo+wVK9tkqktufN+XeuJLM2Rop5lF4t8My9JXIbGs7wNX
UzhFv5FJ3MGiFMO+3apEgn0D6djocanE16FCNtcezaIwlvuA1waId0JzKpjRrAdg
lYNQK+nyQOOaRhW7boG3WNqo/XRrtU2tFXd0UHygHf2oDrk4vlA=
=+mOK
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXONL1WaOgq3Tt24GAQg/6A/8CYQK8QSnQfzG1uQvLLgoXj4UtyDE6/h4
nLn+vbPk4TAcPaCmrRLe8XttfbbYSjh0jq3vaWuJBjL+s0izuqNm1hXZmZRsQ3kl
Hig282xmepFPXaZtEKaXGKbQ801zdM5sywN7MjIXOEctNwrNNNurO5xLim0qHTmJ
8tEaWjC+h0xhCrFlCYEoMz3atQ8g5XbRos6/rP7j8vo2QUkz9c/o3CGdhcWWFxSY
XAIf34aVj9yReiP0Sl61yeGYwMO5xTcbYK0JHShTFR9D3F1psYrQUE05ZZ9F8ps7
TSBA7t8xMqGH3Hdi2sIvwsJ3bQmpVE+tXP/1T97iir9mNCwKpLjGPJUtbEWfxcQq
ihT9b5E6zs7w+EosvsinVIeN5qQISC2eOcYzquYLzT+tz4aioj7s0Yu/AkrM9Y19
KfqiaUyLU1Zs4s7rVxdYkYD+0HH3NdUXFEi5TgzLSXEaYRpNzJhSj9xq7OgWKqHY
knRjnrZojqVWHcZD4zR6oVwBOhaFSjupfiyLl8w3Zam1HMY7GDD8RuNYR24+wG89
HgUUshfRi8LkpwnqdqKEwsCaZpqOr+EoKQKeznYQN45bKTFhHN2geZAra+cneUb7
TMfQxcRPU0p1xSm4BDRcEo39JfMOkZx7Gh3Q9cjWFLVRl9Hl13O4epWAZBCEPJpY
Kz7EneagyQ0=
=Ppbq
-----END PGP SIGNATURE-----