Debian Package Tracker
Register | Log in
Subscribe

jruby

100% pure-Java implementation of Ruby

Choose email to subscribe with

general
  • source: jruby (main)
  • version: 9.1.17.0-3
  • maintainer: Debian Java Maintainers (archive) (DMD)
  • uploaders: Miguel Landaeta [DMD]
  • arch: all
  • std-ver: 4.3.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 1.5.6-9
  • o-o-sec: 1.5.6-9+deb8u2
  • oldstable: 1.7.26-1+deb9u1
  • old-sec: 1.7.26-1+deb9u1
  • old-bpo: 9.1.13.0-1~bpo9+1
  • stable: 9.1.17.0-3
  • testing: 9.1.17.0-3
  • unstable: 9.1.17.0-3
versioned links
  • 1.5.6-9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.5.6-9+deb8u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.7.26-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 9.1.13.0-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 9.1.17.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • jruby (6 bugs: 0, 6, 0, 0)
action needed
A new upstream version is available: 9.2.9.0 high
A new upstream version 9.2.9.0 is available, you should consider packaging it.
Created: 2017-11-21 Last update: 2019-12-10 21:06
4 security issues in buster high
There are 4 open security issues in buster.
4 important issues:
  • CVE-2019-16254: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
  • CVE-2019-16255: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
  • CVE-2019-15845: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
  • CVE-2019-16201: WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
Please fix them.
Created: 2019-11-20 Last update: 2019-12-10 20:39
4 security issues in bullseye high
There are 4 open security issues in bullseye.
4 important issues:
  • CVE-2019-16254: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
  • CVE-2019-16255: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
  • CVE-2019-15845: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
  • CVE-2019-16201: WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
Please fix them.
Created: 2019-11-20 Last update: 2019-12-10 20:39
4 security issues in sid high
There are 4 open security issues in sid.
4 important issues:
  • CVE-2019-16254: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
  • CVE-2019-16255: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
  • CVE-2019-15845: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
  • CVE-2019-16201: WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
Please fix them.
Created: 2019-11-20 Last update: 2019-12-10 20:39
10 security issues in stretch high
There are 10 open security issues in stretch.
10 important issues:
  • CVE-2019-16254: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
  • CVE-2019-16255: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
  • CVE-2019-15845: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
  • CVE-2019-8324: An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.
  • CVE-2019-8325: An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)
  • CVE-2019-8322: An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
  • CVE-2019-8323: An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
  • CVE-2019-8320: A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.
  • CVE-2019-8321: An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.
  • CVE-2019-16201: WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
Please fix them.
Created: 2019-03-26 Last update: 2019-12-10 20:39
1 bug tagged help in the BTS normal
The BTS contains 1 bug tagged help, please consider helping the maintainer in dealing with it.
Created: 2019-03-21 Last update: 2019-12-10 22:02
lintian reports 12 warnings normal
Lintian reports 12 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2019-09-01 Last update: 2019-09-01 15:13
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.1 instead of 4.3.0).
Created: 2019-07-08 Last update: 2019-09-29 23:39
news
[rss feed]
  • [2019-12-10] Accepted jruby 1.5.6-9+deb8u2 (source all) into oldoldstable (Markus Koschany)
  • [2019-06-03] jruby 9.1.17.0-3 MIGRATED to testing (Debian testing watch)
  • [2019-05-29] Accepted jruby 9.1.17.0-3 (source) into unstable (Hideki Yamane)
  • [2019-05-20] Accepted jruby 1.5.6-9+deb8u1 (source all) into oldstable (Abhijith PA)
  • [2019-05-08] jruby 9.1.17.0-2.1 MIGRATED to testing (Debian testing watch)
  • [2019-05-03] Accepted jruby 9.1.17.0-2.1 (source) into unstable (Salvatore Bonaccorso)
  • [2019-03-08] jruby 9.1.17.0-2 MIGRATED to testing (Debian testing watch)
  • [2019-02-26] Accepted jruby 9.1.17.0-2 (source) into unstable (Andrej Shadura)
  • [2019-02-25] Accepted jruby 9.1.17.0-1 (source) into unstable (Andrej Shadura)
  • [2018-06-12] Accepted jruby 1.7.26-1+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Markus Koschany)
  • [2018-06-08] Accepted jruby 1.7.26-1+deb9u1 (source all) into stable->embargoed, stable (Markus Koschany)
  • [2018-04-17] Accepted jruby 1.5.6-5+deb7u2 (source all) into oldoldstable (Markus Koschany)
  • [2018-04-01] Accepted jruby 1.5.6-5+deb7u1 (source all) into oldoldstable (Santiago R.R.) (signed by: Santiago Ruano Rincón)
  • [2018-04-01] Accepted jruby 1.5.6-5+deb7u1 (source all) into oldoldstable (Santiago R.R.) (signed by: Santiago Ruano Rincón)
  • [2017-10-15] Accepted jruby 9.1.13.0-1~bpo9+1 (source all) into stretch-backports (Miguel Landaeta)
  • [2017-10-11] jruby 9.1.13.0-1 MIGRATED to testing (Debian testing watch)
  • [2017-10-05] Accepted jruby 9.1.13.0-1 (source) into unstable (Miguel Landaeta)
  • [2017-09-29] Accepted jruby 9.1.8.0-3~bpo9+1 (source all) into stretch-backports, stretch-backports (Miguel Landaeta)
  • [2017-09-24] jruby 9.1.8.0-3 MIGRATED to testing (Debian testing watch)
  • [2017-09-18] Accepted jruby 9.1.8.0-3 (source) into unstable (Miguel Landaeta)
  • [2017-08-25] jruby 9.1.8.0-2 MIGRATED to testing (Debian testing watch)
  • [2017-07-28] Accepted jruby 9.1.8.0-2 (source) into unstable (Miguel Landaeta)
  • [2017-07-23] Accepted jruby 9.1.8.0-1 (source all) into unstable (Miguel Landaeta)
  • [2017-04-21] Accepted jruby 9.1.8.0-1~exp3 (source) into experimental (Miguel Landaeta)
  • [2017-04-17] Accepted jruby 9.1.8.0-1~exp2 (source) into experimental (Miguel Landaeta)
  • [2017-03-11] Accepted jruby 9.1.8.0-1~exp1 (source) into experimental (Miguel Landaeta)
  • [2017-03-07] Accepted jruby 9.1.6.0-1~exp3 (source) into experimental (Miguel Landaeta)
  • [2017-03-04] Accepted jruby 9.1.6.0-1~exp2 (source) into experimental (Miguel Landaeta)
  • [2017-02-11] Accepted jruby 9.1.6.0-1~exp1 (source) into experimental (Miguel Landaeta)
  • [2016-11-19] jruby 1.7.26-1 MIGRATED to testing (Debian testing watch)
  • 1
  • 2
bugs [bug history graph]
  • all: 8
  • RC: 0
  • I&N: 7
  • M&W: 1
  • F&P: 0
  • patch: 0
  • help: 1
links
  • homepage
  • lintian (0, 12)
  • buildd: logs, clang, reproducibility
  • popcon
  • browse source code
  • edit tags
  • security tracker
  • screenshots
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 9.1.17.0-3
  • 5 bugs

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing