| Description: | Summary:
The remote host is missing an update for the Debian 'jruby' package(s) announced via the DLA-3408-1 advisory.
Vulnerability Insight:
Several vulnerabilities were fixed in JRuby, a Java implementation of the Ruby programming language.
CVE-2017-17742
CVE-2019-16254
HTTP Response Splitting attacks in the HTTP server of WEBrick.
CVE-2019-16201
Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication.
CVE-2019-16255
Code injection vulnerability.
CVE-2020-25613
HTTP Request Smuggling attack in WEBrick.
CVE-2021-31810
Trusting FTP PASV responses vulnerability in Net::FTP.
CVE-2021-32066
Net::IMAP did not raise an exception when StartTLS fails with an an unknown response.
CVE-2023-28755
Quadratic backtracking on invalid URI.
CVE-2023-28756
The Time parser mishandled invalid strings that have specific characters.
For Debian 10 buster, these problems have been fixed in version 9.1.17.0-3+deb10u1.
We recommend that you upgrade your jruby packages.
For the detailed security status of jruby please refer to its security tracker page at: [link moved to references]
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]
Affected Software/OS:
'jruby' package(s) on Debian 10.
Solution:
Please install the updated package(s).
CVSS Score:
7.8
CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C
|
