Skip to content

Instantly share code, notes, and snippets.

@headius

headius/jruby_9.3.1.1_notes.md Secret

Last active December 2, 2021 16:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save headius/8ea4ddc4180e9f176ba2e0b20801419f to your computer and use it in GitHub Desktop.
Save headius/8ea4ddc4180e9f176ba2e0b20801419f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
jruby_9.3.1.1_notes.md

Security

  • Date-parsing methods have been modified to accept an input-size limit option. This addresses CVE-2021-41817. It was originally reported against Ruby's C-based date extension, which JRuby does not use, but JRuby's own implementation of date is also affected by the same issue.

    The fix is detailed in #6952. A workaround is provided, via patching the pure-Ruby date code in your own JRuby install. Rebuilding JRuby is not necessary. This PR is the only functional difference from JRuby 9.3.1.0.

  • In order to match Ruby behavior and permit interrupting these date-parsing regular expression matches, this release also enables interruptible regular expressions globally. This feature can be disabled using the "regexp.interruptible" JRuby option as described in the above PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment