Debian Bug report logs -
#925987
CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 29 Mar 2019 18:57:01 UTC
Severity: grave
Tags: security, upstream
Found in version jruby/9.1.17.0-2
Fixed in version jruby/9.1.17.0-3
Done: Hideki Yamane <henrich@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#925987; Package jruby.
(Fri, 29 Mar 2019 18:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 29 Mar 2019 18:57:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: jruby
Severity: grave
Tags: security
jruby embeds a version of rubygems, so it's affected by
https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems
Cheers,
Moritz
Marked as found in versions jruby/9.1.17.0-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 29 Mar 2019 20:00:03 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 29 Mar 2019 20:03:05 GMT) (full text, mbox, link).
Reply sent
to Hideki Yamane <henrich@debian.org>:
You have taken responsibility.
(Wed, 29 May 2019 05:51:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 29 May 2019 05:51:04 GMT) (full text, mbox, link).
Message #14 received at 925987-close@bugs.debian.org (full text, mbox, reply):
Source: jruby
Source-Version: 9.1.17.0-3
We believe that the bug you reported is fixed in the latest version of
jruby, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 925987@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hideki Yamane <henrich@debian.org> (supplier of updated jruby package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 May 2019 08:06:41 +0900
Source: jruby
Architecture: source
Version: 9.1.17.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Hideki Yamane <henrich@debian.org>
Closes: 925987
Changes:
jruby (9.1.17.0-3) unstable; urgency=medium
.
* Team upload.
* debian/patches
- add 0017-fix-rubygem-vulnerabilities.patch to fix CVEs (Closes: #925987)
(CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324
CVE-2019-8325)
Checksums-Sha1:
0e33a52eeb3835f5c04142bff714ef605a0197de 3046 jruby_9.1.17.0-3.dsc
5dca189562bd81dbcc90962bfde6fc4a83d6b6f9 82092 jruby_9.1.17.0-3.debian.tar.xz
32b06e43c305f72a3877efe990ce980d4d1a1d4c 16153 jruby_9.1.17.0-3_amd64.buildinfo
Checksums-Sha256:
22b0b76c316744ef246865e1c74aad4746b3fce50add9dc43d89bd65b2da6a4a 3046 jruby_9.1.17.0-3.dsc
54415b4b29a7b5c5a09638d38b07b0ef74c71fc74051205b9cd2ed2417b6b533 82092 jruby_9.1.17.0-3.debian.tar.xz
8673df9d92e388cf2d18d82c3f7e7c4dfa31d3314462f55c9e964ed81a80bd3f 16153 jruby_9.1.17.0-3_amd64.buildinfo
Files:
63758c37404ac50fdc3eb356950eba10 3046 ruby optional jruby_9.1.17.0-3.dsc
2d6dc0335e9e0a0fe9f4fab4e149f133 82092 ruby optional jruby_9.1.17.0-3.debian.tar.xz
67d664d341b466d5a07b075e5fc070aa 16153 ruby optional jruby_9.1.17.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEWOEiL5aWyIWjzRBMXTKNCCqqsUAFAlzuGF4ACgkQXTKNCCqq
sUDbshAAoVP65USsuloRMurpU+119dKRJKsclKUe0pDY1+x3ihq/R/ujCMqvlkUW
0VLUUUZ1WcBOQGCCHd45c9kTDGFcAQgDfQC39/8km6UNN8TlwRG6sVigbV9bfuIG
IN71W3SODi/HjGgUUCLNn5HpwN/Leu9OHgwjBYJX1eRBcI73FfxxWjowIekZ7PWD
Kr3sUATu67ot8tfVrKnn7cDx8R9wwpc8jsY8+kJVPCHpG5yiHnZYyZQ+225JHiPm
EVqO7yqKKn4vo6nwS4kfyFAgta517mOaYVh8WYwEwItpFQbriisZ7qzDl2bJ+GY3
x8keZPXq6M7TkY9nAPWqXRNngQ6Ai7vmYnDP41iACyGXGdng4I3E1aDdhTwrP58g
fj/4xlcMW2Vh478nb4y/ZUYAJgKfwfWwUtiMhdBHn2ccIlNy4gGkfK6i/rSOUNM+
8vNOfwCN1K9TQsPqDmIsnsvFcLYcRzaA62kIXDdJtdW4V0eEVOAXyCZ9rZMjUBNP
B96YrU+/l9F6XsOzA6umqXcSou5NpWdwEABK04Ios0jGVdnSQ1JRPZaWcGvNVzg1
/cMCJn/gqjgtFiD1H5fpj54U9VzCc5os6wnRvSejQoqhEtYw75l5Vlb1xi70KBPO
1fNHzWmUdjiEa3BuPsnqLNCBp+8KIJLJS31CxpPARy2E7Eq2IzM=
=8dEs
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:13:53 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon