search

asciidoctor / asciidoctorj

:coffee: Java bindings for Asciidoctor. Asciidoctor on the JVM!
http://asciidoctor.org
Apache License 2.0
617 stars 172 forks source link

included jruby version is vulnerable due to snakeyaml dependency #1215

Closed derekhillhp closed 1 year ago

derekhillhp commented 1 year ago

Issue #1141 which lists upgrading jruby to version 9.4.1.0, but that doesn't appear to be included in the latest release of 2.5.9. According to the change log:

~/Downloads/asciidoctorj-2.5.9$ cat CHANGELOG.adoc |grep -i jruby

The latest versoin included is 9.3.10.0 which still has some CVE's against it. As a matter of fact, the latest version of jruby is 9.4.2.0 which was released about 3 months ago. https://github.com/jruby/jruby/releases/tag/9.4.2.0

Is it possible to update to the latest version of jruby 9.4.2.0 and re-issue a new version of asciidoctorj. We are trying to resolve the persistent snakeyaml vulnerabilities which are being pulled in by older versions of jruby.

abelsromero commented 1 year ago

Issue #1141 which lists upgrading jruby to version 9.4.1.0, but that doesn't appear to be included in the latest release of 2.5.9.

That PR is for the main branch which is targeting v3.0.0, version v2.5.9 is in branch v2.5.x.

Is it possible to update to the latest version of jruby 9.4.2.0

Yes, I'll prepare a PR. No issue at all.

and re-issue a new version of asciidoctorj

That's to be confirmed. But checking the JRuby History, I see we are "affected" by https://nvd.nist.gov/vuln/detail/CVE-2022-38751. However, we do not do any yaml parsing, and as such the CVE could be dismissed in case that's an option in the meantime.

derekhillhp commented 1 year ago

Thanks for the update and fast response. Much appreciated.

robertpanzer commented 1 year ago

A new version of AsciidoctorJ with a more recent version of JRuby was released.