Debian Package Tracker

general

source: jruby (main)
version: 9.1.13.0-1
maintainer: Debian Java Maintainers (archive) [DMD]
uploaders: Miguel Landaeta [DMD]
arch: all
std-ver: 4.1.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.5.6-5
o-o-sec: 1.5.6-5+deb7u2
oldstable: 1.5.6-9
stable: 1.7.26-1+deb9u1
stable-sec: 1.7.26-1+deb9u1
stable-bpo: 9.1.13.0-1~bpo9+1
testing: 9.1.13.0-1
unstable: 9.1.13.0-1

versioned links

1.5.6-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.5.6-5+deb7u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.5.6-9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.7.26-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.1.13.0-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.1.13.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

jruby

action needed

A new upstream version is available: 9.2.0.0 high

A new upstream version 9.2.0.0 is available, you should consider packaging it.

Created: 2017-11-21 Last update: 2018-08-18 02:01

7 security issues in sid high

There are 7 open security issues in sid.

7 important issues:

CVE-2018-1000074: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000075: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000076: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000077: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000079: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000073: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000078: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6.

Please fix them.

Created: 2018-02-22 Last update: 2018-07-14 12:55

7 security issues in buster high

There are 7 open security issues in buster.

7 important issues:

CVE-2018-1000074: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000075: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000076: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000077: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000079: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000073: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000078: RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6.

Please fix them.

Created: 2018-02-22 Last update: 2018-07-14 12:55

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2016-04-06 Last update: 2018-08-18 02:16

1 bug tagged help in the BTS normal

The BTS contains 1 bug tagged help, please consider helping the maintainer in dealing with it.

Created: 2018-05-30 Last update: 2018-08-18 01:33

lintian reports 10 warnings normal

Lintian reports 10 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2015-03-07 Last update: 2018-04-13 07:51

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.1.4 instead of 4.1.1).

Created: 2018-04-02 Last update: 2018-06-08 13:38

news

[rss feed]

[2018-06-12] Accepted jruby 1.7.26-1+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Markus Koschany)
[2018-06-08] Accepted jruby 1.7.26-1+deb9u1 (source all) into stable->embargoed, stable (Markus Koschany)
[2018-04-17] Accepted jruby 1.5.6-5+deb7u2 (source all) into oldoldstable (Markus Koschany)
[2018-04-01] Accepted jruby 1.5.6-5+deb7u1 (source all) into oldoldstable (Santiago R.R.) (signed by: Santiago Ruano Rincón)
[2018-04-01] Accepted jruby 1.5.6-5+deb7u1 (source all) into oldoldstable (Santiago R.R.) (signed by: Santiago Ruano Rincón)
[2017-10-15] Accepted jruby 9.1.13.0-1~bpo9+1 (source all) into stretch-backports (Miguel Landaeta)
[2017-10-11] jruby 9.1.13.0-1 MIGRATED to testing (Debian testing watch)
[2017-10-05] Accepted jruby 9.1.13.0-1 (source) into unstable (Miguel Landaeta)
[2017-09-29] Accepted jruby 9.1.8.0-3~bpo9+1 (source all) into stretch-backports, stretch-backports (Miguel Landaeta)
[2017-09-24] jruby 9.1.8.0-3 MIGRATED to testing (Debian testing watch)
[2017-09-18] Accepted jruby 9.1.8.0-3 (source) into unstable (Miguel Landaeta)
[2017-08-25] jruby 9.1.8.0-2 MIGRATED to testing (Debian testing watch)
[2017-07-28] Accepted jruby 9.1.8.0-2 (source) into unstable (Miguel Landaeta)
[2017-07-23] Accepted jruby 9.1.8.0-1 (source all) into unstable (Miguel Landaeta)
[2017-04-21] Accepted jruby 9.1.8.0-1~exp3 (source) into experimental (Miguel Landaeta)
[2017-04-17] Accepted jruby 9.1.8.0-1~exp2 (source) into experimental (Miguel Landaeta)
[2017-03-11] Accepted jruby 9.1.8.0-1~exp1 (source) into experimental (Miguel Landaeta)
[2017-03-07] Accepted jruby 9.1.6.0-1~exp3 (source) into experimental (Miguel Landaeta)
[2017-03-04] Accepted jruby 9.1.6.0-1~exp2 (source) into experimental (Miguel Landaeta)
[2017-02-11] Accepted jruby 9.1.6.0-1~exp1 (source) into experimental (Miguel Landaeta)
[2016-11-19] jruby 1.7.26-1 MIGRATED to testing (Debian testing watch)
[2016-11-12] Accepted jruby 1.7.26-1 (source all) into unstable (Miguel Landaeta)
[2016-01-04] jruby 1.7.22-2 MIGRATED to testing (Debian testing watch)
[2015-12-29] Accepted jruby 1.7.22-2 (source all) into unstable (Miguel Landaeta)
[2015-09-23] jruby 1.7.22-1 MIGRATED to testing (Britney)
[2015-09-17] Accepted jruby 1.7.22-1 (source all) into unstable (Miguel Landaeta)
[2015-08-01] jruby 1.7.21-2 MIGRATED to testing (Britney)
[2015-07-29] Accepted jruby 1.7.21-2 (source all) into unstable (Miguel Landaeta)
[2015-07-16] jruby 1.7.21-1 MIGRATED to testing (Britney)
[2015-07-10] Accepted jruby 1.7.21-1 (source all) into unstable (Miguel Landaeta)

bugs [bug history graph]

all: 7
RC: 2
I&N: 4
M&W: 1
F&P: 0
patch: 0
help: 1

links

homepage
lintian (0, 10)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.1.13.0-1
4 bugs