-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.3430.2
                    ruby2.3 and jruby security updates
                              6 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ruby2.3
                   jruby
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Unauthorised Access -- Existing Account
                   Reduced Security    -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-25613  

Original Bulletin: 
   https://www.debian.org/lts/security/2020/dla-2391
   https://www.debian.org/lts/security/2020/dla-2392

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running ruby2.3 or jruby check for an updated version of the 
         software for their operating system.
         
         This bulletin contains two (2) Debian security advisories.

Revision History:  October 6 2020: Updated Product Tag and Title
                   October 2 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2391-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
October 01, 2020                            https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------

Package        : ruby2.3
Version        : 2.3.3-1+deb9u9
CVE ID         : CVE-2020-25613

A potential HTTP request smuggling vulnerability in WEBrick
was reported.

WEBrick (bundled along with ruby2.3) was too tolerant against
an invalid Transfer-Encoding header. This may lead to
inconsistent interpretation between WEBrick and some HTTP proxy
servers, which may allow the attacker to "smuggle" a request.

For Debian 9 stretch, this problem has been fixed in version
2.3.3-1+deb9u9.

We recommend that you upgrade your ruby2.3 packages.

For the detailed security status of ruby2.3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl91+rcACgkQgj6WdgbD
S5bMSw/+MkKeOuD7I5Weg8I3/N9w/oeY9+B/YInygn7ubnHIC8iq9KAwOBg40BxY
CUHjPsU1LEerCajsFauUOG6YjxPF2ETi8Fr2PmQASZfPE13YBlG+yOIqC0kgHs2k
eZN6iVOEaghUaf1c6FSCbfKkSive3q4hRFNtYl2Qn9qhexs5I9hCgPLhc99HFCS7
HSSXNncL8Pkk9Qu7JcqS22md6BNmPtmWj11rjkKtsmBztm2D/ShoDVh0/pVtOrIm
6Bj9XdhJSiHs0ihr8DSmpy3SgPNYufT+aWtP9dBpCXmTQpe2yXSTdk4z+MhZnNic
b0pzHLoEeFNadcffOsOms8jkFR3dxMDJpdHCOLSPCplO3jC4R9B9vEOjuMFV55Vc
qyG160RDn8D9NMt2HGTMQu8ahR+DEiImhZ5hurucpGZL5gWrhVbFtduiKyy3GFXM
RGesByZQyvtQx8NRAUTqNE5OtO8rJpF9BoQJu/Bk5Zq0/0wTABNKY2Fl+tZG4DRB
uWf6U33Jh96WojrKKRY8D2NB4L8kDLavcPNYLSEYU+aXSw3d5p/+Ez6AgwdaO31o
CnjnkFp0KnEM4UK9EhZzSncOGuPY4ggNe5hN2189FTCXTbOB5DKdI+BxzSA/prr4
rrX91N0TGmb+A1Ueb5eRiw572p3vA1zz6IHXp+tGLk8tNQBQCRA=
=yLxG
- -----END PGP SIGNATURE-----

- -------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2392-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
October 01, 2020                            https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------

Package        : jruby
Version        : 1.7.26-1+deb9u3
CVE ID         : CVE-2020-25613

A potential HTTP request smuggling vulnerability in WEBrick
was reported.

WEBrick (bundled along with jruby) was too tolerant against
an invalid Transfer-Encoding header. This may lead to
inconsistent interpretation between WEBrick and some HTTP proxy
servers, which may allow the attacker to â\x{128}\x{156}smuggleâ\x{128}\x{157} a request.

For Debian 9 stretch, this problem has been fixed in version
1.7.26-1+deb9u3.

We recommend that you upgrade your jruby packages.

For the detailed security status of jruby please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jruby

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl91+0wACgkQgj6WdgbD
S5YPDg//YN3drFLAnteSsyHvpJIW7RMJ7Q06AFiPo/X2rv3DpuQ63hj6ivc4PEVb
h2pmVlXCc65ZC3LKiSKqQl+5g94rm7FfmZUIXnpLN5gOvJDHUMT7qAQOQzzA1+Pi
SVetpAh0bAv0Uq4QrGN+fuwtdec42ElKR9UDi9i39otC7ft/uTSImcnDza0pwR/u
OHO3vYiQarvoXAq7Q2CYG5XcINgdEhzLG6iglmLoDhSQvJTOZSaC+h674QMnk06p
6PPpAuOdK1y5InIUhsXHNk73Ouo28vasevOpEwBhFtTTGOMc1DO0AFrXrQ5OmgOZ
JRXo+IcDZjRgekjD4BLLEApuOQ0V1c+7zNPgeuzSoRcRmDpJ5F8f6i9/6ws1aPjS
KqbeTjQpGsGGWUnNKhd9XwLo2dvG0mfqsHdLFz6ObbFVqfVH2fktB+pvj/S7Hsjo
Hi9X6KeVoC4GF3MWPSK6VtP+p3stbSyTt0k41pCEqtxRYS5MxNAVuFGuZT7i4Ow0
Nh87OrVRANuKvs1z/WkjiUsgf4g8mp51d5YY4KPA/Y0UA4fg2MnCN+3HRCsvq4Md
cnyGrGMRKYTs27XrmKxhl0sL8hpIlJf3NhNBvXoNsJCMzL+lBRa/BU0aisNwCC8b
gmhvOPxI4AZH2v0MhVlXOsSUC39KlzVur/cjGywUyzsQUDc4tGs=
=5EZT
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3wM5ONLKJtyKPYoAQhygQ/6ArFwF1Kdobq4XD1QQKsgZEt+Hagu27RU
J/+pDe2pd5Ouu9xhcoc3ixVG5r953AjYlz7sTH+jDYCA3RuEm4lT5tEe1yt35IuZ
ZkePfXcM0eXP905OElUTWYvtfMZArdb+ukZ19YprewtH5MdNpVLlW8OQmD3vD+Xl
uHsKmSWfGEnlanUawfkSbN418x+nm1Cd8VcA7Ih65CB7NQbk+cPAvwWkPT0orYLb
vydLtvCj7o9KzknWKRcxBTPeukiAad9LW/ncWKsCbLWQf0gwbGybiEcSoqSZ2tvn
Bbyk1NXRKyCmjlQtw4JZzl36qzlDqWnT55rJDT/NGgfkdjgiZBqCeTXnTNzQi+G7
HsnY7PNADKtVe7CpUAe+0SWR8XpABSfBf+w5ZmorcfydBlRfFuqRvzh57m3CXqGS
OflkF535lTQAa4lb0Z6wX/Fx2EzdCVxUSZoez0ul39zW0G/mribjYstvjqQAQ/az
xrMQDNVtpVjZSnmzdy0OfHJq2s77caMy+iYH8LMHmgtwUMrwOonp4SeAzgSnSDX3
2p44HTnB8wDuuE71y8LXd6XKN225keN170wmlDH6JrdJ8xSaaLmsNhIlU0xSsDri
0v24ehR21FUvHmFn4Y9ynv2noCegPdSoDByGpNSltrNdOhqudtk9wA+ac+ceYd0Z
1y3pv9JaHtw=
=eL4f
-----END PGP SIGNATURE-----