| Summary: | <dev-java/jruby-1.4.1 (<dev-java/jcodings-1.0.3) XSS vulnerability (CVE-2010-1330) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Vlastimil Babka (Caster) (RETIRED) <caster> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | java |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html | ||
| Whiteboard: | ~3? [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 312547 | ||
|
Description
Vlastimil Babka (Caster) (RETIRED)
2010-04-27 08:49:27 UTC
Seems like the vulnerability is in jcodings, which is stable, but jruby not. I'm not sure if/how it can manifest in jcodings itself, or other reverse dependencies (which are however also jruby-related), besides through jruby. Reverse DEPEND for dev-java/jcodings: dev-java/bytelist-1.0.2 dev-java/joni-1.1.3 dev-java/jruby-1.3.1-r1 dev-java/jruby-1.4.0-r4 dev-java/jruby-1.4.0-r5 dev-java/jruby-1.4.0-r6 dev-java/jvyamlb-0.2.5 OK, bumped both jcodings and jruby (which was probably not necessary, but rather to avoid confusion) with updated dependency. Arches please stabilize: dev-java/jcodings-1.0.4 =dev-java/jcodings-1.0.4 builds fine on x86. Tested rdeps =dev-java/bytelist-1.0.2, =dev-java/joni-1.1.3 and =dev-java/jvyamlb-0.2.5 (jruby is not stable). I don't know how to really test this, but the test suites of bytelist and jvyamlb didn't give any problems. I guess this is fine then. Please mark =dev-java/jcodings-1.0.4 stable for x86. x86 stable, thanks Myckel amd64 stable, all arches done. Closing noglsa. |
