Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1192 XXE fixed in JRuby on Debian 7 19 April 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: jruby Publisher: Debian Operating System: Debian GNU/Linux 7 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-1000074 Reference: ESB-2018.1047.2 Original Bulletin: https://security-tracker.debian.org/tracker/DLA-1352-1 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : jruby Version : 1.5.6-5+deb7u2 CVE ID : CVE-2018-1000074 An unsafe object deserialization vulnerability was found in jruby, a 100% pure-Java implementation of Ruby. An attacker can use this flaw to run arbitrary code when gem owner is run on a specially crafted YAML file. For Debian 7 "Wheezy", these problems have been fixed in version 1.5.6-5+deb7u2. We recommend that you upgrade your jruby packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrWes1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeSfUw/9EySd9c4vTfZeUzuB7pS1SMI0uUFiK5/Sk4+L5wVdgjpDw4dSW2D/LEv+ ozFt1FptYFwaL7syG+TDJ8fTyq3YbsBydjYkBYgP94KpVXk0JyEgVB7gOSN0m65b xyR+4KeuGIhW1Lmgzd91dGK3qz5EHsaDIcY+faCHY0Fzx+ivjhp3fRm1J5TE3iBL qcihFks/MjpcjeS4T6s0aJnXeaNfaE+hi9xOudF1E6TjOQnusDP4NfWd3q4sEoSI ra2YP1aFZdb34APFN5oWBzsMvkp/hm0eKH/hB3pR/RxaQhAQFc3X0jvB0R6PT1c2 O69COCoP49E/b3aCghgsmV0GFQH69lRzr1ZE6bxOb3DN+gyYtmWYwkBgtSCkwoia taSfc6g3kAV+McikHICxbV+D90nxMNTr/q3AlLjOUqvMrfYhqavnS+y2Ek2rOhJm 3k4GTY6BbRMVZ/yUNV/RJGs4Nr9MBnyJMxjiGFxwnJDfGQRiB2nSYh4z7XPNkKVT DUx3nWM3hNo963LwPjGBI0ww+6fcu1Y50qHh/Nrie23e7nve2+a32Eh1ytNZ1V7j kp3QT0BrXRYLC+HbhOiDV4wvFlrH3e4/p+AfCo8F/fpziAmHwiuwvE01qvQ03ZR+ YMrC0DoJSXsFtcw5BjiNDPqrHs5SFnOw+AMgXLp6O5X897J3jzI= =Q1MM - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWtfbLYx+lLeg9Ub1AQgEcw//UDN5NrrUPeAs7SnDBpAmITMwlNw6xK1E rU0XVBVqFhYsw6+w0hsaLVREni3nSs7gW+7NjettNOtyzgkdWu38wAzWAnVOoZ8d qYLoMPMCxeFii/EoW0k6Ea6mWMvT+MLMdCs9jX/jrEtJzittrAI4rZiJm3oESCJX dpJlXZLZc5hn2Vrd1S8d2UVLuUZ66uwFNzcClzrvzW7BneTVjsHV0xvzh97pA3eN WNoYo5ujvExMoqJX5w4z9jjeCW0oQB7e3Y+eUZtQx41SZvi7NvEw/h4V9uAZojB/ YDgqTfh8aEuLevd+3KH7/O20N/+gx2wR8Zr8nqh+V9/2KaWsftejl62I5VNQhBUx E0FmvBM6CaMzV14+4spaqq8jg7v8f7v5woD5lzxd02wNM2yeOldtfT9f14k1jpHn xy3J27lEkrVQkpRJFXgADM95jEt6jxVzlAxckUi9lvwILsYvbf/LRqmztgGg21Fk lDDKOAH8KBnuuRdVjDGKE1ykxvmRSr9mFzyUGLWV3K1B4RpjWGd9d8Fs1LlIT17v uhd0lC6Jy4r7kvSLgVg+05mPZIPdBOG7hmnC6+F8tfGcfryU2WkozTBhI8IgigAX k+texDATKH1RpsP7mIxPUorU12pk5hPtQ/N2F1AddL6WKDSExvCuF2AnBqH92D6L eLd517UYkjw= =h7Go -----END PGP SIGNATURE-----