Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

jruby: CVE-2012-5370

Related Vulnerabilities: CVE-2012-5370  

Source

Debian Bug report logs - #694694
jruby: CVE-2012-5370

version graph

Package: jruby; Maintainer for jruby is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>; Source for jruby is src:jruby (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 29 Nov 2012 08:27:02 UTC

Severity: grave

Tags: patch, security

Fixed in version jruby/1.5.6-5

Done: Martin Quinson <mquinson@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#694694; Package jruby. (Thu, 29 Nov 2012 08:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 29 Nov 2012 08:27:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: jruby: CVE-2012-5370
Date: Thu, 29 Nov 2012 09:20:53 +0100
Package: jruby
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see the Red Hat bug for details:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5370

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#694694; Package jruby. (Mon, 10 Dec 2012 23:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Martin Quinson <martin.quinson@loria.fr>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 10 Dec 2012 23:51:03 GMT) (full text, mbox, link).

Message #10 received at 694694@bugs.debian.org (full text, mbox, reply):

From: Martin Quinson <martin.quinson@loria.fr>
To: 694694@bugs.debian.org
Subject: Patch for review
Date: Tue, 11 Dec 2012 00:47:05 +0100
[Message part 1 (text/plain, inline)]
package jruby
tags 694694 patch 
thanks

Hello,

I just commited the attached patch to the package's git. I intend to
upload the package with that correction (and maybe some other minor
ones) within the next few days unless someone objects.

I was about uploading it right away but I'm not a jruby user myself,
and I a no way of checking it beside of the included test suite (which
works exactly as well with or without this patch).

Thanks for any feedback,
Mt.

-- 
Comme le taupin, qui n'a cure des progrès de la technique, s'imagine
que les théories représentent la réalité, que c'est arrivé, il croit
la science boulversée par une théorie nouvelle, c'est-à-dire par un
changement de langage. -- Henri Bouasse, l'esprit Taupin, 1928.

[0009-CVE-2012-5370.patch (text/x-diff, attachment)]

Added tag(s) patch. Request was from Martin Quinson <martin.quinson@loria.fr> to control@bugs.debian.org. (Mon, 10 Dec 2012 23:51:05 GMT) (full text, mbox, link).

Reply sent to Martin Quinson <mquinson@debian.org>:
You have taken responsibility. (Tue, 11 Dec 2012 20:51:06 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Tue, 11 Dec 2012 20:51:06 GMT) (full text, mbox, link).

Message #17 received at 694694-close@bugs.debian.org (full text, mbox, reply):

From: Martin Quinson <mquinson@debian.org>
To: 694694-close@bugs.debian.org
Subject: Bug#694694: fixed in jruby 1.5.6-5
Date: Tue, 11 Dec 2012 20:48:14 +0000
Source: jruby
Source-Version: 1.5.6-5

We believe that the bug you reported is fixed in the latest version of
jruby, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 694694@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Quinson <mquinson@debian.org> (supplier of updated jruby package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 11 Dec 2012 21:22:36 +0100
Source: jruby
Binary: jruby
Architecture: source all
Version: 1.5.6-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Martin Quinson <mquinson@debian.org>
Description: 
 jruby      - 100% pure-Java implementation of Ruby
Closes: 694694
Changes: 
 jruby (1.5.6-5) unstable; urgency=medium
 .
   * Team upload.
   * Add patch for CVE-2012-5370: Use PerlHash instead of MurmurHash
     (that is vulnerable to DoS attacks). (Closes: #694694)
     [Patch adapted from 5e4aab28 upstream]
Checksums-Sha1: 
 4d13ae8ecbdd8028f0f1ea189fb27f2cd60c0ff4 2283 jruby_1.5.6-5.dsc
 fe062783f707c446d149cb293e1f71decd34ef5b 30568 jruby_1.5.6-5.debian.tar.gz
 cd2fd4e5d344ac1ed7d0612c67f72c886d038663 8918352 jruby_1.5.6-5_all.deb
Checksums-Sha256: 
 a0d0e96cf2b6e8f93ec6c54455807876faafd2baf4eee3db35baad83b6e9efd7 2283 jruby_1.5.6-5.dsc
 89b92389ef3863225237e1de776807fb7455f0003fd0bb90c54e312291143749 30568 jruby_1.5.6-5.debian.tar.gz
 7fa01aaa7b2d12eea1184488c9a130e71dfa1e40194c2180ec06840d82032ca0 8918352 jruby_1.5.6-5_all.deb
Files: 
 07da0a29ffec6d0846389e685a0fe72b 2283 ruby optional jruby_1.5.6-5.dsc
 96926425a15a98d304b93ca3bd3fdda7 30568 ruby optional jruby_1.5.6-5.debian.tar.gz
 3d8a3fe64808709079620a709c8a66c6 8918352 ruby optional jruby_1.5.6-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQx5ecAAoJEJi9lyRPc76nGCEP+wcfLnUFNlfnNovHHwqrfxlC
cLlLzPooRa3OAZ0IHgLhuHEXKzHAPGi5VLYSkLare6mxJcJDBCA0k0YADksLDOXF
T+LoRC1Rk9/ywLFOrvetkmEl5KEWL4QdQ4msXhG+1Fc6vwcDOITZeqMkki8VWQc1
SLL8UX20iyyMHqZ+cmuGFS7JV5KvoIlNWuQWoQkatGQNoJIelUa+RrUwhhupO7RH
AvMW8UK7MARgkGgde4LP0ONcQjvL9TmOEmW2bzfhSibZB162ArHhjGpmTL49jJ0x
o4t90LmHs5x/y7eQfAEpohAq8vaXJQ6m2E3inm5xOq3EGzYUwjp0jRzEqeiDhIjP
rRTc2MTG3szk8uSWM1wiHsAtuhQiDU1SyVQ6T//VXjd7Oo/prObxVZniDPdy9H/r
izK9eSNWZQeYaOzLSAG0IAWDgtyC7KT2m2j1VPLN2YzjWI4QhkdU9sTHfS70PeTT
pvXEqHyV0I3ICyq9tSKe/j1Wwipf3Mg80eW9o0tExRSGYJTsQ+aBDI5zZdXBLLyT
gdBjVaCMol13O1g7HZRacR+SxJwpJgkkwwIzkjUHSIdsCRWFH3Z+/ehxa+QO57cY
igXLZzliBp2ms1KW7zd9SNa7e9NEkCY2LDOalDYksqkLrDlCgVJXhDysjf1fWzkQ
RaTGj9VBACdnMFyum7pe
=nAUa
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 08:29:56 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:08:04 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started