Bug 974094

Summary: CVE-2013-0269 CVE-2013-1821 JRuby 1.7.2 multiple security flaws [fedora-rawhide]
Product: [Fedora] Fedora Reporter: Alexander Kurtakov <akurtako>
Component: jrubyAssignee: Mo Morsi <mmorsi>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 20CC: bkabrda, mgoldman, mmorsi, sparks, vondruch
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: , fst_ping=1
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-09 19:00:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1152249    
Bug Blocks: 909029, 914716    

Description Alexander Kurtakov 2013-06-13 12:12:52 UTC 
Fedora has jruby 1.7.2 which contains known CVEs and fixed in version 1.7.3 http://www.jruby.org/2013/02/21/jruby-1-7-3.html . Meantime 1.7.4 is released and it's probably best to update to it directly.
Comment 1 Vincent Danen 2013-06-13 15:01:51 UTC 
Thanks for this, Alexander.  The two CVEs that are corrected are CVE-2013-0269 and CVE-2013-1821.  I'm going to link those bugs and turn this into a tracking bug.  I've looked on the upstream page and can't see anything about 1.6.x being affected by these, but it wouldn't surprise me if they were, so this may be an issue for Fedora 17 and 18 as well (unknown).
Comment 2 Fedora End Of Life 2013-09-16 14:10:53 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20
Comment 3 pjp 2015-04-09 17:32:06 UTC 
Hello mmorsi,

You plan to fix this soon?
Comment 4 Mo Morsi 2015-04-09 19:00:46 UTC 
Hey pjp, I haven't worked on this in a while, msrb took over jruby packaging. From the looks of it though it seems the build has been updated in rawhide:

http://koji.fedoraproject.org/koji/packageinfo?packageID=6094

This bug is filed against F20 but I doubt that the build will be able to be backported there due to missing and incompatible dependencies. Closing as on rawhide.