jruby - Debian Package Tracker

general

source: jruby (main)
version: 9.1.17.0-3
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Miguel Landaeta [DMD]
arch: all
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1.7.26-1+deb9u1
old-sec: 1.7.26-1+deb9u3
old-bpo: 9.1.13.0-1~bpo9+1
stable: 9.1.17.0-3
unstable: 9.1.17.0-3

versioned links

1.7.26-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.7.26-1+deb9u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.1.13.0-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.1.17.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

jruby (8 bugs: 1, 7, 0, 0)

action needed

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

In debian/watch no matching files for watch line
  https://github.com/jruby/jruby/releases  /jruby/jruby/archive/([0-9].+)\.tar\.gz

Created: 2021-03-21 Last update: 2021-06-15 15:40

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2017-17742: Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
CVE-2019-16201: WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
CVE-2019-16254: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
CVE-2019-16255: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
CVE-2020-25613: An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

Created: 2021-02-19 Last update: 2021-04-07 20:01

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 20-day delay is over. Check why.

Created: 2021-02-17 Last update: 2021-06-15 17:04

1 bug tagged help in the BTS normal

The BTS contains 1 bug tagged help, please consider helping the maintainer in dealing with it.

Created: 2019-03-21 Last update: 2021-06-15 17:01

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 9.2.14.0-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit aee7d3c479d303cdd7ce55d2be0963ed1cff447f
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Jan 7 19:00:05 2021 -0500

    d/rules: package missing libs in the final .deb, as jruby needs them

commit 37cac93a57086ac192d3cce3b6bf85222543a71f
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Jan 7 12:14:03 2021 -0500

    ruby-scanf is needed for the tests

commit 288906b95205e23bcb585303ff336527dd60e76e
Author: Utkarsh Gupta <utkarsh@debian.org>
Date:   Thu Jan 7 18:09:56 2021 +0530

    Don't BD on Debian revisions

commit dcf1365ee7a0158df189e185c0d900582ba42a57
Author: Utkarsh Gupta <utkarsh@debian.org>
Date:   Thu Jan 7 18:08:56 2021 +0530

    Prefer spaces over tabs in d/copyright

commit 734ca482377eb6789483a7ce62601848496f3799
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Wed Jan 6 17:59:24 2021 -0500

    d/test-tasks.txt: mri:fullint has been renamed to mri:core:fullint

commit 5607a6d94d7e24af02e712b1543b594f594cc2bc
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Wed Jan 6 17:23:54 2021 -0500

    d/patches: remove LOAD_PATH hacks from 0008.
    
    This is not needed anymore, since we're symlinking lib/ruby/gems/shared
    (in the upstream LOAD_PATH for tests) to lib/ruby/stdlib, where we're
    copying gems.

commit a539f5d20dda66a3d18b54d5b89277969df8fb1c
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Wed Jan 6 17:00:57 2021 -0500

    fix more testsuite errors

commit 9b2458875dbf12cd282d80b7aa360d9a8ca5cc1e
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Tue Jan 5 19:10:35 2021 -0500

    d/rules: don't fail on testsuite failure, for now.

commit 9508319010b76a14b0b9d2938dc9f4182934a547
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Tue Jan 5 18:35:42 2021 -0500

    add ruby-rake-ant as a dependency

commit 6aa2c20dfc95a8dc6456953398dc31aebc28291d
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Tue Jan 5 15:21:39 2021 -0500

    d/patches: update 0008 to use new ruby2.7 paths.

commit 08397e8b3e2d5f0300ed42f16c74444144f33538
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Fri Jan 1 15:08:51 2021 -0500

    d/control: update to dh13.

commit ffd10bfeb38278ee616ecbf22d935671c9679d19
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Fri Jan 1 15:07:00 2021 -0500

    d/patches: delete 0007 and don't add /usr/lib/ruby/vendor_ruby to the jruby LOAD_PATH anymore. (Closes: #977979, #977981)

commit a39ac050c8a79725cd82afcad55459a3a8c91e2d
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Fri Jan 1 14:55:47 2021 -0500

    Fix subpar changelog entries

commit 3282a5af45e933955f30d65f9830e12ea2f85c09
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Fri Jan 1 14:53:29 2021 -0500

    add fileutils to the copied libs, as it's also needed

commit 8da4573ed1283acad4ef137b8e90be3e9252e9cb
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 18:00:27 2020 -0500

    fix version and mark package as UNRELEASED

commit ed104ee3bf9daaec4258b2483bf9c7fd5f58ed42
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 17:43:28 2020 -0500

    d/rules: remote get-orig-source.

commit 05d3d3d3525c5f24f03f7bd4cd70e0dbe3006fd8
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 17:42:37 2020 -0500

    d/rules: fix where ruby2.7 libs are copied from for the testsuite. (Closes: #976477)

commit 6c89451b50a2acaec37e09199c5cf4dcc5426ea6
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 16:16:04 2020 -0500

    d/control: remove build conflict with open-infrastructure-locales-c.utf-8, as it has been removed from unstable.

commit 7ac162c8e8ca088df65a631aa624c5890bd6acc3
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 15:15:14 2020 -0500

    Merge 0002 in 0020 and refresh 0006

commit 66f2037575ef3204c732d882912aed940956a1d4
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 14:33:12 2020 -0500

    Fix missing entries in patch 0019

commit f7ea90cafd193baa46c7791c6d8b298c102e707a
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 13:07:37 2020 -0500

    Refactored 0001 into 0020 to truly disable polyglot maven.

commit cc6949912247cc64692418dd4a72861d8846dd33
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 12:44:52 2020 -0500

    Added 0019 to disable maven checksum plugin.

commit 83a8b88a0eab5b5079a2b84e3d3aa603208c9c89
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Thu Dec 31 12:40:10 2020 -0500

    Added 0018 to disable maven truezip plugin.

commit ef9718548c2b67dc44ef300603bca14928f189b8
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Wed Dec 30 19:30:10 2020 -0500

    Updated 0004-Add-missing-maven-artifacts-pom-files.patch with the next pom.xml files.

commit fd9a3208083c114438fcc2786719169f12ab77cb
Author: Louis-Philippe Véronneau <pollo@debian.org>
Date:   Wed Dec 30 18:43:24 2020 -0500

    Update dependencies and replace javax.annotation-api by jakarta.annotation.api.

commit 8d410e6041b808ba38d092210eb5b2b2130827e3
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 23:10:55 2020 +0100

    Ran wrap-and-sort -bastk.

commit 2841e6737af6b08f94081cbd468a904c6a247c25
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 23:05:53 2020 +0100

    Fixed new version in 0004-Add-missing-maven-artifacts-pom-files.patch.

commit 593844141529945838c2e243958b5e9361a2af2f
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 23:02:34 2020 +0100

    Removed applied upstream: 0018-fix-rubygem-vulnerabilities.patch.

commit 53ba45d6f929cdd5cf2fff13888470b32021adc9
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:58:11 2020 +0100

    Refreshed: 0016-Disable-SkinnyMethodAdapter-test.patch.

commit 9858edec84f2c49d4c0c4bb3b1783b523043e720
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:57:35 2020 +0100

    Rebased: 0015-javax-annotation-Generated.patch.

commit d163e0513f7805b26ed0d2fc0f6ad4cc9294fdc7
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:55:35 2020 +0100

    Refreshed: 0014-FELIX-5430.patch.

commit 572cd3bd759a53cb9b64de18d08a90093d4f427f
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:54:57 2020 +0100

    Rebased: 0013-Disable-regression-flaky-tests.patch.

commit cd593e81e6a054d9bae5628989646beb53f4c6c6
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:52:28 2020 +0100

    Rebased: 0012-Disable-jruby-flaky-tests.patch.

commit ac69a65b7476e9f976820ceb92bd712d9c049bdb
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:49:31 2020 +0100

    Rebased: 0011-Disable-failed-tests-in-sbuild.patch.

commit 5234f27d012ba078f132c1482a983467fdaa6a7c
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:46:22 2020 +0100

    Disabled: 0010-Exclude-mri-tests-failing-in-debian.patch.

commit 66e4f4c7b66d8c71f02f743b95457d79f4c94313
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:43:48 2020 +0100

    Rebased: 0007-Add-usr-lib-ruby-vendor-ruby-to-load-path.patch.

commit 1911548bddd727fe0d4e11b78a5ec2b92494bd6b
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:32:51 2020 +0100

      * Refreshed:
        - 0002-Disable-unpackaged-plugins-in-lib-module.patch.
        - 0005-Disable-jnr-ffi-native-usage.patch.

commit 2fbbe0d9cc4be72755f5cc7275615be25228e93b
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:32:21 2020 +0100

    Rebased 0001-Disable-polyglot-maven-extension.patch.

commit 892080ff9b07b0056e9a968783713066ec25c572
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:18:09 2020 +0100

    New upstream release 9.2.14.0

commit 5f46afcdbc2ab884aeb3dd0877bceb5012ae5579
Merge: f6e653039 42ac9b95d
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:17:30 2020 +0100

    Update upstream source from tag 'upstream/9.2.14.0'
    
    Update to upstream version '9.2.14.0'
    with Debian dir 9258cd56f0a84f1e186aa86e7c4b3c68e3eaec01

commit 42ac9b95d2190efcb002227de9de494e0ad6f815
Author: Thomas Goirand <zigo@debian.org>
Date:   Mon Dec 28 22:17:30 2020 +0100

    New upstream version 9.2.14.0

Created: 2020-12-31 Last update: 2021-06-08 03:41

lintian reports 15 warnings normal

Lintian reports 15 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-09-21 Last update: 2021-01-27 03:02

5 low-priority security issues in buster low

There are 5 open security issues in buster.

5 issues left for the package maintainer to handle:

CVE-2017-17742: (needs triaging) Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
CVE-2019-16201: (needs triaging) WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
CVE-2019-16254: (needs triaging) Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
CVE-2019-16255: (needs triaging) Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
CVE-2020-25613: (needs triaging) An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-04-07 20:01

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 4.3.0).

Created: 2019-07-08 Last update: 2020-11-17 05:41

testing migrations

excuses:
- Migrates after: jruby-openssl, ruby-psych
- Migration status for jruby (- to 9.1.17.0-3): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- Updating jruby introduces new bugs: #959600, #972230, #976477, #977979
- blocked by freeze: is not in testing
- Build-Depends(-Arch): jruby jruby-openssl
- Build-Depends(-Arch): jruby ruby-psych
- Depends: jruby ruby-psych
- Additional info:
- Piuparts tested OK - https://piuparts.debian.org/sid/source/j/jruby.html
- 748 days old (needed 20 days)
- Not considered

news

[rss feed]

[2021-02-18] jruby REMOVED from testing (Debian testing watch)
[2020-10-01] Accepted jruby 1.7.26-1+deb9u3 (source all) into oldstable (Utkarsh Gupta)
[2020-08-16] Accepted jruby 1.7.26-1+deb9u2 (source) into oldstable (Adrian Bunk)
[2019-12-10] Accepted jruby 1.5.6-9+deb8u2 (source all) into oldoldstable (Markus Koschany)
[2019-06-03] jruby 9.1.17.0-3 MIGRATED to testing (Debian testing watch)
[2019-05-29] Accepted jruby 9.1.17.0-3 (source) into unstable (Hideki Yamane)
[2019-05-20] Accepted jruby 1.5.6-9+deb8u1 (source all) into oldstable (Abhijith PA)
[2019-05-08] jruby 9.1.17.0-2.1 MIGRATED to testing (Debian testing watch)
[2019-05-03] Accepted jruby 9.1.17.0-2.1 (source) into unstable (Salvatore Bonaccorso)
[2019-03-08] jruby 9.1.17.0-2 MIGRATED to testing (Debian testing watch)
[2019-02-26] Accepted jruby 9.1.17.0-2 (source) into unstable (Andrej Shadura)
[2019-02-25] Accepted jruby 9.1.17.0-1 (source) into unstable (Andrej Shadura)
[2018-06-12] Accepted jruby 1.7.26-1+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Markus Koschany)
[2018-06-08] Accepted jruby 1.7.26-1+deb9u1 (source all) into stable->embargoed, stable (Markus Koschany)
[2018-04-17] Accepted jruby 1.5.6-5+deb7u2 (source all) into oldoldstable (Markus Koschany)
[2018-04-01] Accepted jruby 1.5.6-5+deb7u1 (source all) into oldoldstable (Santiago R.R.) (signed by: Santiago Ruano Rincón)
[2017-10-15] Accepted jruby 9.1.13.0-1~bpo9+1 (source all) into stretch-backports (Miguel Landaeta)
[2017-10-11] jruby 9.1.13.0-1 MIGRATED to testing (Debian testing watch)
[2017-10-05] Accepted jruby 9.1.13.0-1 (source) into unstable (Miguel Landaeta)
[2017-09-29] Accepted jruby 9.1.8.0-3~bpo9+1 (source all) into stretch-backports, stretch-backports (Miguel Landaeta)
[2017-09-24] jruby 9.1.8.0-3 MIGRATED to testing (Debian testing watch)
[2017-09-18] Accepted jruby 9.1.8.0-3 (source) into unstable (Miguel Landaeta)
[2017-08-25] jruby 9.1.8.0-2 MIGRATED to testing (Debian testing watch)
[2017-07-28] Accepted jruby 9.1.8.0-2 (source) into unstable (Miguel Landaeta)
[2017-07-23] Accepted jruby 9.1.8.0-1 (source all) into unstable (Miguel Landaeta)
[2017-04-21] Accepted jruby 9.1.8.0-1~exp3 (source) into experimental (Miguel Landaeta)
[2017-04-17] Accepted jruby 9.1.8.0-1~exp2 (source) into experimental (Miguel Landaeta)
[2017-03-11] Accepted jruby 9.1.8.0-1~exp1 (source) into experimental (Miguel Landaeta)
[2017-03-07] Accepted jruby 9.1.6.0-1~exp3 (source) into experimental (Miguel Landaeta)
[2017-03-04] Accepted jruby 9.1.6.0-1~exp2 (source) into experimental (Miguel Landaeta)

bugs [bug history graph]

all: 14
RC: 2
I&N: 8
M&W: 1
F&P: 3
patch: 0
help: 1

links

homepage
lintian (0, 15)
buildd: logs, clang
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.1.17.0-3build6
4 bugs