Closed derekhillhp closed 1 year ago
Issue #1141 which lists upgrading jruby to version 9.4.1.0, but that doesn't appear to be included in the latest release of 2.5.9.
That PR is for the main
branch which is targeting v3.0.0, version v2.5.9 is in branch v2.5.x
.
Is it possible to update to the latest version of jruby 9.4.2.0
Yes, I'll prepare a PR. No issue at all.
and re-issue a new version of asciidoctorj
That's to be confirmed. But checking the JRuby History, I see we are "affected" by https://nvd.nist.gov/vuln/detail/CVE-2022-38751. However, we do not do any yaml parsing, and as such the CVE could be dismissed in case that's an option in the meantime.
Thanks for the update and fast response. Much appreciated.
A new version of AsciidoctorJ with a more recent version of JRuby was released.
Issue #1141 which lists upgrading jruby to version 9.4.1.0, but that doesn't appear to be included in the latest release of 2.5.9. According to the change log:
~/Downloads/asciidoctorj-2.5.9$ cat CHANGELOG.adoc |grep -i jruby
JRubyAsciidoctor
to align behaviour withAbstractConverter
(@abelsromero) (#844)The latest versoin included is 9.3.10.0 which still has some CVE's against it. As a matter of fact, the latest version of jruby is 9.4.2.0 which was released about 3 months ago. https://github.com/jruby/jruby/releases/tag/9.4.2.0
Is it possible to update to the latest version of jruby 9.4.2.0 and re-issue a new version of asciidoctorj. We are trying to resolve the persistent snakeyaml vulnerabilities which are being pulled in by older versions of jruby.