A jruby security update has been released for Debian GNU/Linux 10 LTS to address several vulnerabilities.

DLA 3408-1: jruby security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3408-1 debian-lts@lists.debian.org
  https://www.debian.org/lts/security/ Adrian Bunk
April 30, 2023   https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : jruby
Version : 9.1.17.0-3+deb10u1
CVE ID : CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255
CVE-2020-25613 CVE-2021-31810 CVE-2021-32066 CVE-2023-28755
CVE-2023-28756
Debian Bug : 972230 1014818

Several vulnerabilities were fixed in JRuby, a Java implementation of
the Ruby programming language.

CVE-2017-17742
CVE-2019-16254

HTTP Response Splitting attacks in the HTTP server of WEBrick.

CVE-2019-16201

Regular Expression Denial of Service vulnerability of WEBrick's
Digest access authentication.

CVE-2019-16255

Code injection vulnerability of Shell#[] and Shell#test.

CVE-2020-25613

HTTP Request Smuggling attack in WEBrick.

CVE-2021-31810

Trusting FTP PASV responses vulnerability in Net::FTP.

CVE-2021-32066

Net::IMAP did not raise an exception when StartTLS fails with an an
unknown response.

CVE-2023-28755

Quadratic backtracking on invalid URI.

CVE-2023-28756

The Time parser mishandled invalid strings that have specific characters.

For Debian 10 buster, these problems have been fixed in version
9.1.17.0-3+deb10u1.

We recommend that you upgrade your jruby packages.

For the detailed security status of jruby please refer to
its security tracker page at:
  https://security-tracker.debian.org/tracker/jruby

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS