Debian Package Tracker

general

source: jruby (main)
version: 9.1.17.0-3
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Miguel Landaeta [DMD]
arch: all
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.5.6-9
o-o-sec: 1.5.6-9+deb8u2
oldstable: 1.7.26-1+deb9u1
old-sec: 1.7.26-1+deb9u3
old-bpo: 9.1.13.0-1~bpo9+1
stable: 9.1.17.0-3
testing: 9.1.17.0-3
unstable: 9.1.17.0-3

versioned links

1.5.6-9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.5.6-9+deb8u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.7.26-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.7.26-1+deb9u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.1.13.0-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.1.17.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

jruby (8 bugs: 1, 7, 0, 0)

action needed

Marked for autoremoval on 17 February due to ruby-psych: #959600, #972230, #976477, #977979, #959571, #976493 high

Version 9.1.17.0-3 of jruby is marked for autoremoval from testing on Wed 17 Feb 2021. It is affected by #959600, #972230, #976477, #977979. The removal of jruby will also cause the removal of (transitive) reverse dependencies: byteman, jruby-maven-plugins, jruby-openssl, plm, ruby-psych, yecht. It depends (transitively) on ruby-psych, affected by #959571, #976493. You should try to prevent the removal by fixing these RC bugs.

Created: 2021-01-18 Last update: 2021-01-24 20:37

A new upstream version is available: 9.2.14.0 high

A new upstream version 9.2.14.0 is available, you should consider packaging it.

Created: 2020-06-29 Last update: 2021-01-24 20:33

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2017-17742: Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
CVE-2019-16201: WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
CVE-2019-16254: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
CVE-2019-16255: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
CVE-2020-25613: An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

Please fix them.

Created: 2019-11-20 Last update: 2020-10-15 01:06

5 security issues in buster high

There are 5 open security issues in buster.

5 important issues:

CVE-2017-17742: Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
CVE-2019-16201: WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
CVE-2019-16254: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
CVE-2019-16255: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
CVE-2020-25613: An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

Please fix them.

Created: 2019-11-20 Last update: 2020-10-15 01:06

5 security issues in bullseye high

There are 5 open security issues in bullseye.

5 important issues:

CVE-2017-17742: Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
CVE-2019-16201: WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
CVE-2019-16254: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
CVE-2019-16255: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
CVE-2020-25613: An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

Please fix them.

Created: 2019-11-20 Last update: 2020-10-15 01:06

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2020-02-08 Last update: 2021-01-24 20:37

1 bug tagged help in the BTS normal

The BTS contains 1 bug tagged help, please consider helping the maintainer in dealing with it.

Created: 2019-03-21 Last update: 2021-01-24 20:30

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 9.2.14.0-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit aee7d3c479d303cdd7ce55d2be0963ed1cff447f
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Jan 7 19:00:05 2021 -0500

    d/rules: package missing libs in the final .deb, as jruby needs them

commit 37cac93a57086ac192d3cce3b6bf85222543a71f
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Jan 7 12:14:03 2021 -0500

    ruby-scanf is needed for the tests

commit 288906b95205e23bcb585303ff336527dd60e76e
Author: Utkarsh Gupta <utkarsh@debian.org>
Date:   Thu Jan 7 18:09:56 2021 +0530

    Don't BD on Debian revisions

commit dcf1365ee7a0158df189e185c0d900582ba42a57
Author: Utkarsh Gupta <utkarsh@debian.org>
Date:   Thu Jan 7 18:08:56 2021 +0530

    Prefer spaces over tabs in d/copyright

commit 734ca482377eb6789483a7ce62601848496f3799
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Wed Jan 6 17:59:24 2021 -0500

    d/test-tasks.txt: mri:fullint has been renamed to mri:core:fullint

commit 5607a6d94d7e24af02e712b1543b594f594cc2bc
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Wed Jan 6 17:23:54 2021 -0500

    d/patches: remove LOAD_PATH hacks from 0008.
    
    This is not needed anymore, since we're symlinking lib/ruby/gems/shared
    (in the upstream LOAD_PATH for tests) to lib/ruby/stdlib, where we're
    copying gems.

commit a539f5d20dda66a3d18b54d5b89277969df8fb1c
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Wed Jan 6 17:00:57 2021 -0500

    fix more testsuite errors

commit 9b2458875dbf12cd282d80b7aa360d9a8ca5cc1e
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Tue Jan 5 19:10:35 2021 -0500

    d/rules: don't fail on testsuite failure, for now.

commit 9508319010b76a14b0b9d2938dc9f4182934a547
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Tue Jan 5 18:35:42 2021 -0500

    add ruby-rake-ant as a dependency

commit 6aa2c20dfc95a8dc6456953398dc31aebc28291d
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Tue Jan 5 15:21:39 2021 -0500

    d/patches: update 0008 to use new ruby2.7 paths.

commit 08397e8b3e2d5f0300ed42f16c74444144f33538
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Fri Jan 1 15:08:51 2021 -0500

    d/control: update to dh13.

commit ffd10bfeb38278ee616ecbf22d935671c9679d19
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Fri Jan 1 15:07:00 2021 -0500

    d/patches: delete 0007 and don't add /usr/lib/ruby/vendor_ruby to the jruby LOAD_PATH anymore. (Closes: #977979, #977981)

commit a39ac050c8a79725cd82afcad55459a3a8c91e2d
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Fri Jan 1 14:55:47 2021 -0500

    Fix subpar changelog entries

commit 3282a5af45e933955f30d65f9830e12ea2f85c09
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Fri Jan 1 14:53:29 2021 -0500

    add fileutils to the copied libs, as it's also needed

commit 8da4573ed1283acad4ef137b8e90be3e9252e9cb
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 18:00:27 2020 -0500

    fix version and mark package as UNRELEASED

commit ed104ee3bf9daaec4258b2483bf9c7fd5f58ed42
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 17:43:28 2020 -0500

    d/rules: remote get-orig-source.

commit 05d3d3d3525c5f24f03f7bd4cd70e0dbe3006fd8
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 17:42:37 2020 -0500

    d/rules: fix where ruby2.7 libs are copied from for the testsuite. (Closes: #976477)

commit 6c89451b50a2acaec37e09199c5cf4dcc5426ea6
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 16:16:04 2020 -0500

    d/control: remove build conflict with open-infrastructure-locales-c.utf-8, as it has been removed from unstable.

commit 7ac162c8e8ca088df65a631aa624c5890bd6acc3
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 15:15:14 2020 -0500

    Merge 0002 in 0020 and refresh 0006

commit 66f2037575ef3204c732d882912aed940956a1d4
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 14:33:12 2020 -0500

    Fix missing entries in patch 0019

commit f7ea90cafd193baa46c7791c6d8b298c102e707a
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 13:07:37 2020 -0500

    Refactored 0001 into 0020 to truly disable polyglot maven.

commit cc6949912247cc64692418dd4a72861d8846dd33
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 12:44:52 2020 -0500

    Added 0019 to disable maven checksum plugin.

commit 83a8b88a0eab5b5079a2b84e3d3aa603208c9c89
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 12:40:10 2020 -0500

    Added 0018 to disable maven truezip plugin.

commit ef9718548c2b67dc44ef300603bca14928f189b8
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Wed Dec 30 19:30:10 2020 -0500

    Updated 0004-Add-missing-maven-artifacts-pom-files.patch with the next pom.xml files.

commit fd9a3208083c114438fcc2786719169f12ab77cb
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Wed Dec 30 18:43:24 2020 -0500

    Update dependencies and replace javax.annotation-api by jakarta.annotation.api.

commit 8d410e6041b808ba38d092210eb5b2b2130827e3
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 23:10:55 2020 +0100

    Ran wrap-and-sort -bastk.

commit 2841e6737af6b08f94081cbd468a904c6a247c25
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 23:05:53 2020 +0100

    Fixed new version in 0004-Add-missing-maven-artifacts-pom-files.patch.

commit 593844141529945838c2e243958b5e9361a2af2f
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 23:02:34 2020 +0100

    Removed applied upstream: 0018-fix-rubygem-vulnerabilities.patch.

commit 53ba45d6f929cdd5cf2fff13888470b32021adc9
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:58:11 2020 +0100

    Refreshed: 0016-Disable-SkinnyMethodAdapter-test.patch.

commit 9858edec84f2c49d4c0c4bb3b1783b523043e720
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:57:35 2020 +0100

    Rebased: 0015-javax-annotation-Generated.patch.

commit d163e0513f7805b26ed0d2fc0f6ad4cc9294fdc7
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:55:35 2020 +0100

    Refreshed: 0014-FELIX-5430.patch.

commit 572cd3bd759a53cb9b64de18d08a90093d4f427f
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:54:57 2020 +0100

    Rebased: 0013-Disable-regression-flaky-tests.patch.

commit cd593e81e6a054d9bae5628989646beb53f4c6c6
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:52:28 2020 +0100

    Rebased: 0012-Disable-jruby-flaky-tests.patch.

commit ac69a65b7476e9f976820ceb92bd712d9c049bdb
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:49:31 2020 +0100

    Rebased: 0011-Disable-failed-tests-in-sbuild.patch.

commit 5234f27d012ba078f132c1482a983467fdaa6a7c
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:46:22 2020 +0100

    Disabled: 0010-Exclude-mri-tests-failing-in-debian.patch.

commit 66e4f4c7b66d8c71f02f743b95457d79f4c94313
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:43:48 2020 +0100

    Rebased: 0007-Add-usr-lib-ruby-vendor-ruby-to-load-path.patch.

commit 1911548bddd727fe0d4e11b78a5ec2b92494bd6b
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:32:51 2020 +0100

      * Refreshed:
        - 0002-Disable-unpackaged-plugins-in-lib-module.patch.
        - 0005-Disable-jnr-ffi-native-usage.patch.

commit 2fbbe0d9cc4be72755f5cc7275615be25228e93b
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:32:21 2020 +0100

    Rebased 0001-Disable-polyglot-maven-extension.patch.

commit 892080ff9b07b0056e9a968783713066ec25c572
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:18:09 2020 +0100

    New upstream release 9.2.14.0

commit 5f46afcdbc2ab884aeb3dd0877bceb5012ae5579
Merge: f6e653039 42ac9b95d
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:17:30 2020 +0100

    Update upstream source from tag 'upstream/9.2.14.0'
    
    Update to upstream version '9.2.14.0'
    with Debian dir 9258cd56f0a84f1e186aa86e7c4b3c68e3eaec01

commit 42ac9b95d2190efcb002227de9de494e0ad6f815
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:17:30 2020 +0100

    New upstream version 9.2.14.0

Created: 2020-12-31 Last update: 2021-01-20 08:34

lintian reports 14 warnings normal

Lintian reports 14 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-09-21 Last update: 2020-09-21 06:02

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 4.3.0).

Created: 2019-07-08 Last update: 2020-11-17 05:41

news

[rss feed]

[2020-10-01] Accepted jruby 1.7.26-1+deb9u3 (source all) into oldstable (Utkarsh Gupta)
[2020-08-16] Accepted jruby 1.7.26-1+deb9u2 (source) into oldstable (Adrian Bunk)
[2019-12-10] Accepted jruby 1.5.6-9+deb8u2 (source all) into oldoldstable (Markus Koschany)
[2019-06-03] jruby 9.1.17.0-3 MIGRATED to testing (Debian testing watch)
[2019-05-29] Accepted jruby 9.1.17.0-3 (source) into unstable (Hideki Yamane)
[2019-05-20] Accepted jruby 1.5.6-9+deb8u1 (source all) into oldstable (Abhijith PA)
[2019-05-08] jruby 9.1.17.0-2.1 MIGRATED to testing (Debian testing watch)
[2019-05-03] Accepted jruby 9.1.17.0-2.1 (source) into unstable (Salvatore Bonaccorso)
[2019-03-08] jruby 9.1.17.0-2 MIGRATED to testing (Debian testing watch)
[2019-02-26] Accepted jruby 9.1.17.0-2 (source) into unstable (Andrej Shadura)
[2019-02-25] Accepted jruby 9.1.17.0-1 (source) into unstable (Andrej Shadura)
[2018-06-12] Accepted jruby 1.7.26-1+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Markus Koschany)
[2018-06-08] Accepted jruby 1.7.26-1+deb9u1 (source all) into stable->embargoed, stable (Markus Koschany)
[2018-04-17] Accepted jruby 1.5.6-5+deb7u2 (source all) into oldoldstable (Markus Koschany)
[2018-04-01] Accepted jruby 1.5.6-5+deb7u1 (source all) into oldoldstable (Santiago R.R.) (signed by: Santiago Ruano Rincón)
[2017-10-15] Accepted jruby 9.1.13.0-1~bpo9+1 (source all) into stretch-backports (Miguel Landaeta)
[2017-10-11] jruby 9.1.13.0-1 MIGRATED to testing (Debian testing watch)
[2017-10-05] Accepted jruby 9.1.13.0-1 (source) into unstable (Miguel Landaeta)
[2017-09-29] Accepted jruby 9.1.8.0-3~bpo9+1 (source all) into stretch-backports, stretch-backports (Miguel Landaeta)
[2017-09-24] jruby 9.1.8.0-3 MIGRATED to testing (Debian testing watch)
[2017-09-18] Accepted jruby 9.1.8.0-3 (source) into unstable (Miguel Landaeta)
[2017-08-25] jruby 9.1.8.0-2 MIGRATED to testing (Debian testing watch)
[2017-07-28] Accepted jruby 9.1.8.0-2 (source) into unstable (Miguel Landaeta)
[2017-07-23] Accepted jruby 9.1.8.0-1 (source all) into unstable (Miguel Landaeta)
[2017-04-21] Accepted jruby 9.1.8.0-1~exp3 (source) into experimental (Miguel Landaeta)
[2017-04-17] Accepted jruby 9.1.8.0-1~exp2 (source) into experimental (Miguel Landaeta)
[2017-03-11] Accepted jruby 9.1.8.0-1~exp1 (source) into experimental (Miguel Landaeta)
[2017-03-07] Accepted jruby 9.1.6.0-1~exp3 (source) into experimental (Miguel Landaeta)
[2017-03-04] Accepted jruby 9.1.6.0-1~exp2 (source) into experimental (Miguel Landaeta)
[2017-02-11] Accepted jruby 9.1.6.0-1~exp1 (source) into experimental (Miguel Landaeta)

bugs [bug history graph]

all: 14
RC: 2
I&N: 8
M&W: 1
F&P: 3
patch: 0
help: 1

links

homepage
lintian (0, 14)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.1.17.0-3build6
4 bugs