Bug 750306 - (CVE-2010-1330) CVE-2010-1330 jruby: XSS in the regular expression engine when processing invalid UTF-8 byte sequences
CVE-2010-1330 jruby: XSS in the regular expression engine when processing inv...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20100426,repor...
: Security
Depends On: 750310 750311
Blocks: 750308
  Show dependency treegraph
 
Reported: 2011-10-31 12:25 EDT by Jan Lieskovsky
Modified: 2016-03-04 07:48 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-08 02:14:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2011-10-31 12:25:22 EDT
A cross-site scripting (XSS) flaw was found in the way the regular expression engine of the JRuby, Java implementation of the Ruby programming language, processed certain invalid UTF-8 byte sequences. A remote attacker could use this flaw to execute arbitrary HTML or web script via specially-crafted input provided to an JRuby application.

References:
[1] http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html
[2] https://bugs.gentoo.org/show_bug.cgi?id=317435

Proposed upstream solution (is to upgrage to jcodings-v1.0.3):
[3] http://repo1.maven.org/maven2/org/jruby/jcodings/jcodings/1.0.3/jcodings-1.0.3.jar
Comment 1 Jan Lieskovsky 2011-10-31 12:26:54 EDT
This issue affects the versions of the jcodings package, as shipped with Fedora release of 14 and 15.

--

This issue did NOT affect the versions of the jcodings and jruby packages, as planned to be included into upcoming Fedora release of 16.
Comment 2 Jan Lieskovsky 2011-10-31 12:38:34 EDT
Created jcodings tracking bugs for this issue

Affects: fedora-14 [bug 750310]
Affects: fedora-15 [bug 750311]
Comment 5 errata-xmlrpc 2011-11-16 18:55:08 EST
This issue has been addressed in following products:

JBoss Enterprise SOA Platform 5.2.0

Via RHSA-2011:1456 https://rhn.redhat.com/errata/RHSA-2011-1456.html

Note You need to log in before you can comment on or make changes to this bug.