Your message dated Sat, 09 Dec 2023 19:36:51 +0000 with message-id <e1rc387-003rmz...@fasolo.debian.org> and subject line Bug#1036283: fixed in jruby 9.4.3.0+ds-1~exp1 has caused the Debian Bug report #1036283, regarding jruby: CVE-2023-28755 CVE-2023-28756 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036283: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036283 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jruby X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerabilities were published for jruby. CVE-2023-28755[0]: | A ReDoS issue was discovered in the URI component through 0.12.0 in | Ruby through 3.2.1. The URI parser mishandles invalid URLs that have | specific characters. It causes an increase in execution time for | parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, | 0.10.2 and 0.10.0.1. Fixed by: https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300 (v3_1_4) Fixed by: https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d0b58ea9dc38892d175 (v0.12.1) https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/ CVE-2023-28756[1]: | A ReDoS issue was discovered in the Time component through 0.2.1 in | Ruby through 3.2.1. The Time parser mishandles invalid URLs that have | specific characters. It causes an increase in execution time for | parsing strings to Time objects. The fixed versions are 0.1.1 and | 0.2.2. Fixed by: https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e (v3_1_4) Fixed by: https://github.com/ruby/time/commit/b57db51f577875d3e896dcd2ef1dcaf97f23e943 (v0.2.2) Fixed by: https://github.com/ruby/time/commit/3dce6f73d14f5fad6d9b302393fd02df48797b11 (v0.2.2) https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/ If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28755 https://www.cve.org/CVERecord?id=CVE-2023-28755 [1] https://security-tracker.debian.org/tracker/CVE-2023-28756 https://www.cve.org/CVERecord?id=CVE-2023-28756 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: jruby Source-Version: 9.4.3.0+ds-1~exp1 Done: Jérôme Charaoui <jer...@riseup.net> We believe that the bug you reported is fixed in the latest version of jruby, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1036...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jérôme Charaoui <jer...@riseup.net> (supplier of updated jruby package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 08 Dec 2023 14:41:18 -0500 Source: jruby Architecture: source Version: 9.4.3.0+ds-1~exp1 Distribution: experimental Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Jérôme Charaoui <jer...@riseup.net> Closes: 1036283 1042129 Changes: jruby (9.4.3.0+ds-1~exp1) experimental; urgency=medium . * New upstream version 9.4.3.0+ds (Closes: #1036283, #1042129) - includes fixes for CVE-2023-28755 and CVE-2023-28756 * build with polyglot-ruby and mavengem plugin * keep bundled bouncycastle-1.71 jar in package * switch to snakeyaml-engine for pysch 5.1 * don't ship jruby-stdlib and jruby-complete anymore * d/copyright: update for new upstream release * d/control: + add new libfixposix4 binary dependency + add copy-rename-maven-plugin to build-deps + bump Standards-Version, no changes needed + run wrap-and-sort -bastk * d/patches: + rebase patches for new upstream version + add patch to omit bundled gems from build + re-enable JarResourceTest with workaround + fix gems path in lib/pom.rb + patch stdlib gems to load jars from usj + patch io-console to load on all platforms - drop mri test patch, merged upstream * d/tests: + add rexml for new test in jruby set + don't run chroot specs even if root + fix test exclusion missing trailing newline + improve adding mri exclusions + fix jirb expect-based test + skip some tests failing if ipv6 is absent + exclude two unreliable mri-core tests + exclude flaky mri-stdlib test in salsa - mark jrib test as no longer flaky - pack/unpack tests on 32-bit fixed upstream * d/rules: + use jruby.dirs to create usj/jruby/lib/jni + ship SourceCodePro font in package + improve dh_auto_clean target - rework override_dh_prep stanza * d/gbp.conf: add rubygems component to export * d/salsa-ci.yml: build and run autopkgtests in salsa * various lintian fixes / overrides Checksums-Sha1: 873d3f9732f5f0e9cfb2bb1cbd39a7802a4a0a14 2885 jruby_9.4.3.0+ds-1~exp1.dsc d993c566e6f49751227d44593ccd81eb54aab9a2 12745444 jruby_9.4.3.0+ds.orig-rubygems.tar.xz 4c9d47d14b7259092701f6829b43eb2b67967d47 5737216 jruby_9.4.3.0+ds.orig.tar.xz 37d3beb9112099f70b88ad46cb09d4569b865b2b 39284 jruby_9.4.3.0+ds-1~exp1.debian.tar.xz 1ad20447f2591bc84cee4d6ced2e8fa25fb0de0d 16097 jruby_9.4.3.0+ds-1~exp1_amd64.buildinfo Checksums-Sha256: 893b7775452bc8b3826728fc6e0899b12ac0ad3477ec40bd75dc6993c2bc1787 2885 jruby_9.4.3.0+ds-1~exp1.dsc 9acf568748cf517f39e4deb779e0ba1fc40a87904e4cf0dac41b9ed4e7bd9c8a 12745444 jruby_9.4.3.0+ds.orig-rubygems.tar.xz e669dec374e0e733b59d46f54b5644e9a4ddeab2d4e1579a20ce386d2f8e4e2b 5737216 jruby_9.4.3.0+ds.orig.tar.xz df98574bd105e3c430a7bd467c3b6ba82ffc4a29075bf69a38ca7b7b31393d8c 39284 jruby_9.4.3.0+ds-1~exp1.debian.tar.xz 7e48487ef21b9abe889e5f2100dbf9441bf86c6e829a49fdcf059eda2f2e7770 16097 jruby_9.4.3.0+ds-1~exp1_amd64.buildinfo Files: 9f59612f2768a08837e41404ba047990 2885 ruby optional jruby_9.4.3.0+ds-1~exp1.dsc 348002aa47ceb3a65db7b5af95e8e918 12745444 ruby optional jruby_9.4.3.0+ds.orig-rubygems.tar.xz 14df5bd8eb77d4cd0e8cde994c2fe2ff 5737216 ruby optional jruby_9.4.3.0+ds.orig.tar.xz 94fbed7c49ee80047c0b49fa7aa897b2 39284 ruby optional jruby_9.4.3.0+ds-1~exp1.debian.tar.xz a41be4ecdea7abce77e300c993d7a545 16097 ruby optional jruby_9.4.3.0+ds-1~exp1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTAq04Rv2xblqv/eu5pxS9ljpiFQgUCZXS9ggAKCRBpxS9ljpiF QtYOAPsFqN7Tk455PPy1LZVQct2OeaDUM1maAbqlOqb+tk/KlgEA3ICCLT8FJ7ug 0AfPAfhpfiY5n70RcJ9UUUKf8T+L5QE= =oT+O -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
