Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.1192
XXE fixed in JRuby on Debian 7
19 April 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: jruby
Publisher: Debian
Operating System: Debian GNU/Linux 7
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-1000074
Reference: ESB-2018.1047.2
Original Bulletin:
https://security-tracker.debian.org/tracker/DLA-1352-1
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : jruby
Version : 1.5.6-5+deb7u2
CVE ID : CVE-2018-1000074
An unsafe object deserialization vulnerability was found in jruby, a
100% pure-Java implementation of Ruby. An attacker can use this flaw
to run arbitrary code when gem owner is run on a specially crafted
YAML file.
For Debian 7 "Wheezy", these problems have been fixed in version
1.5.6-5+deb7u2.
We recommend that you upgrade your jruby packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrWes1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSfUw/9EySd9c4vTfZeUzuB7pS1SMI0uUFiK5/Sk4+L5wVdgjpDw4dSW2D/LEv+
ozFt1FptYFwaL7syG+TDJ8fTyq3YbsBydjYkBYgP94KpVXk0JyEgVB7gOSN0m65b
xyR+4KeuGIhW1Lmgzd91dGK3qz5EHsaDIcY+faCHY0Fzx+ivjhp3fRm1J5TE3iBL
qcihFks/MjpcjeS4T6s0aJnXeaNfaE+hi9xOudF1E6TjOQnusDP4NfWd3q4sEoSI
ra2YP1aFZdb34APFN5oWBzsMvkp/hm0eKH/hB3pR/RxaQhAQFc3X0jvB0R6PT1c2
O69COCoP49E/b3aCghgsmV0GFQH69lRzr1ZE6bxOb3DN+gyYtmWYwkBgtSCkwoia
taSfc6g3kAV+McikHICxbV+D90nxMNTr/q3AlLjOUqvMrfYhqavnS+y2Ek2rOhJm
3k4GTY6BbRMVZ/yUNV/RJGs4Nr9MBnyJMxjiGFxwnJDfGQRiB2nSYh4z7XPNkKVT
DUx3nWM3hNo963LwPjGBI0ww+6fcu1Y50qHh/Nrie23e7nve2+a32Eh1ytNZ1V7j
kp3QT0BrXRYLC+HbhOiDV4wvFlrH3e4/p+AfCo8F/fpziAmHwiuwvE01qvQ03ZR+
YMrC0DoJSXsFtcw5BjiNDPqrHs5SFnOw+AMgXLp6O5X897J3jzI=
=Q1MM
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWtfbLYx+lLeg9Ub1AQgEcw//UDN5NrrUPeAs7SnDBpAmITMwlNw6xK1E
rU0XVBVqFhYsw6+w0hsaLVREni3nSs7gW+7NjettNOtyzgkdWu38wAzWAnVOoZ8d
qYLoMPMCxeFii/EoW0k6Ea6mWMvT+MLMdCs9jX/jrEtJzittrAI4rZiJm3oESCJX
dpJlXZLZc5hn2Vrd1S8d2UVLuUZ66uwFNzcClzrvzW7BneTVjsHV0xvzh97pA3eN
WNoYo5ujvExMoqJX5w4z9jjeCW0oQB7e3Y+eUZtQx41SZvi7NvEw/h4V9uAZojB/
YDgqTfh8aEuLevd+3KH7/O20N/+gx2wR8Zr8nqh+V9/2KaWsftejl62I5VNQhBUx
E0FmvBM6CaMzV14+4spaqq8jg7v8f7v5woD5lzxd02wNM2yeOldtfT9f14k1jpHn
xy3J27lEkrVQkpRJFXgADM95jEt6jxVzlAxckUi9lvwILsYvbf/LRqmztgGg21Fk
lDDKOAH8KBnuuRdVjDGKE1ykxvmRSr9mFzyUGLWV3K1B4RpjWGd9d8Fs1LlIT17v
uhd0lC6Jy4r7kvSLgVg+05mPZIPdBOG7hmnC6+F8tfGcfryU2WkozTBhI8IgigAX
k+texDATKH1RpsP7mIxPUorU12pk5hPtQ/N2F1AddL6WKDSExvCuF2AnBqH92D6L
eLd517UYkjw=
=h7Go
-----END PGP SIGNATURE-----