| Description: | Summary:
The remote host is missing an update for the Debian 'jruby' package(s) announced via the DLA-1796-1 advisory.
Vulnerability Insight:
Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language.
CVE-2018-1000074
Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file
CVE-2018-1000075
an infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop
CVE-2018-1000076
Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.
CVE-2018-1000077
Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL
CVE-2018-1000078
Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server
CVE-2019-8321
Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible
CVE-2019-8322
The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur
CVE-2019-8323
Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
CVE-2019-8324
A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec
CVE-2019-8325
Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)
For Debian 8 Jessie, these problems have been fixed in version 1.5.6-9+deb8u1.
We recommend that you upgrade your jruby packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]
Affected Software/OS:
'jruby' package(s) on Debian 8.
Solution:
Please install the updated package(s).
CVSS Score:
7.5
CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
