Bug 974094 - CVE-2013-0269 CVE-2013-1821 JRuby 1.7.2 multiple security flaws [fedora-rawhide]
Summary: CVE-2013-0269 CVE-2013-1821 JRuby 1.7.2 multiple security flaws [fedora-rawhide]
Alias: None
Product: Fedora
Classification: Fedora
Component: jruby (Show other bugs)
(Show other bugs)
Version: 20
Hardware: Unspecified Unspecified
Target Milestone: ---
Assignee: Mo Morsi
QA Contact: Fedora Extras Quality Assurance
Whiteboard: , fst_ping=1
Keywords: Security, SecurityTracking
Depends On: 1152249
Blocks: CVE-2013-0269 CVE-2013-1821
TreeView+ depends on / blocked
Reported: 2013-06-13 12:12 UTC by Alexander Kurtakov
Modified: 2015-04-09 19:00 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-04-09 19:00:46 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Alexander Kurtakov 2013-06-13 12:12:52 UTC
Fedora has jruby 1.7.2 which contains known CVEs and fixed in version 1.7.3 http://www.jruby.org/2013/02/21/jruby-1-7-3.html . Meantime 1.7.4 is released and it's probably best to update to it directly.

Comment 1 Vincent Danen 2013-06-13 15:01:51 UTC
Thanks for this, Alexander.  The two CVEs that are corrected are CVE-2013-0269 and CVE-2013-1821.  I'm going to link those bugs and turn this into a tracking bug.  I've looked on the upstream page and can't see anything about 1.6.x being affected by these, but it wouldn't surprise me if they were, so this may be an issue for Fedora 17 and 18 as well (unknown).

Comment 2 Fedora End Of Life 2013-09-16 14:10:53 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.

More information and reason for this action is here:

Comment 3 pjp 2015-04-09 17:32:06 UTC
Hello mmorsi@redhat.com,

You plan to fix this soon?

Comment 4 Mo Morsi 2015-04-09 19:00:46 UTC
Hey pjp, I haven't worked on this in a while, msrb took over jruby packaging. From the looks of it though it seems the build has been updated in rawhide:


This bug is filed against F20 but I doubt that the build will be able to be backported there due to missing and incompatible dependencies. Closing as on rawhide.

Note You need to log in before you can comment on or make changes to this bug.