Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 317435 (CVE-2010-1330) - <dev-java/jruby-1.4.1 (<dev-java/jcodings-1.0.3) XSS vulnerability (CVE-2010-1330)
Summary: <dev-java/jruby-1.4.1 (<dev-java/jcodings-1.0.3) XSS vulnerability (CVE-2010-...
Alias: CVE-2010-1330
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: ~3? [noglsa]
Depends on:
Blocks: 312547
  Show dependency tree
Reported: 2010-04-27 08:49 UTC by Vlastimil Babka (Caster) (RETIRED)
Modified: 2011-10-30 22:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-04-27 08:49:27 UTC
Comment 1 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-04-27 08:59:58 UTC
Seems like the vulnerability is in jcodings, which is stable, but jruby not. I'm not sure if/how it can manifest in jcodings itself, or other reverse dependencies (which are however also jruby-related), besides through jruby.

Reverse DEPEND for dev-java/jcodings: dev-java/bytelist-1.0.2 dev-java/joni-1.1.3 dev-java/jruby-1.3.1-r1 dev-java/jruby-1.4.0-r4 dev-java/jruby-1.4.0-r5 dev-java/jruby-1.4.0-r6 dev-java/jvyamlb-0.2.5
Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-04-27 09:28:15 UTC
OK, bumped both jcodings and jruby (which was probably not necessary, but rather to avoid confusion) with updated dependency.

Arches please stabilize:
Comment 3 Myckel Habets (work) 2010-04-28 09:48:55 UTC
=dev-java/jcodings-1.0.4 builds fine on x86. Tested rdeps =dev-java/bytelist-1.0.2, =dev-java/joni-1.1.3 and =dev-java/jvyamlb-0.2.5 (jruby is not stable).
I don't know how to really test this, but the test suites of bytelist and jvyamlb didn't give any problems. I guess this is fine then.

Please mark =dev-java/jcodings-1.0.4 stable for x86.

Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-04-28 13:59:16 UTC
x86 stable, thanks Myckel
Comment 5 Markus Meier gentoo-dev 2010-05-15 13:22:07 UTC
amd64 stable, all arches done.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-05-22 10:38:05 UTC
Closing noglsa.