Bug 10976

Summary: [Package Request] jruby
Product: [ROSA-based products] ROSA Fresh Reporter: Zombie Ryushu <zombie.ryushu>
Component: Contributed PackagesAssignee: ROSA Linux Bugs <bugs>
Status: CONFIRMED --- QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: alzim, andrey.bondrov, denis.silakov, mc2374
Version: KDE4   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://advisories.mageia.org/MGASA-2020-0440.html
Whiteboard:
Platform: 2016.1 ROSA Vulnerability identifier: CVE-2017-17742 , CVE-2019-8320 , CVE-2019-8321 , CVE-2019-8322 , CVE-2019-8323 , CVE-2019-8324 , CVE-2019-8325 , CVE-2019-16201 , CVE-2019-16254 , CVE-2019-16255 , CVE-2020-25613
RPM Package: jruby-1.7.22-7.2.mga7 ISO-related:
Bad POT generating: Upstream:

Description Zombie Ryushu 2020-12-01 09:49:56 MSK 
Response Splitting attack in the HTTP server of WEBrick (CVE-2017-17742).

Delete directory using symlink when decompressing tar (CVE-2019-8320).

Escape sequence injection vulnerability in verbose (CVE-2019-8321).

Escape sequence injection vulnerability in gem owner (CVE-2019-8322).

Escape sequence injection vulnerability in API response handling (CVE-2019-8323).

Installing a malicious gem may lead to arbitrary code execution
(CVE-2019-8324).

Escape sequence injection vulnerability in errors (CVE-2019-8325).

Regular Expression Denial of Service vulnerability of WEBrick's Digest access
authentication (CVE-2019-16201).

HTTP Response Splitting attack in the HTTP server of WEBrick (CVE-2019-16254).

Code injection vulnerability (CVE-2019-16255).

A potential HTTP request smuggling vulnerability in WEBrick was reported.
WEBrick (bundled along with jruby) was too tolerant against an invalid
Transfer-Encoding header. This may lead to inconsistent interpretation between
WEBrick and some HTTP proxy servers, which may allow the attacker to "smuggle"
a request (CVE-2020-25613).