Skip to content

Instantly share code, notes, and snippets.

@headius

headius/jruby_9.3.1.1_notes.md Secret

Last active December 2, 2021 16:44
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
jruby_9.3.1.1_notes.md

Security

  • Date-parsing methods have been modified to accept an input-size limit option. This addresses CVE-2021-41817. It was originally reported against Ruby's C-based date extension, which JRuby does not use, but JRuby's own implementation of date is also affected by the same issue.

    The fix is detailed in #6952. A workaround is provided, via patching the pure-Ruby date code in your own JRuby install. Rebuilding JRuby is not necessary. This PR is the only functional difference from JRuby 9.3.1.0.

  • In order to match Ruby behavior and permit interrupting these date-parsing regular expression matches, this release also enables interruptible regular expressions globally. This feature can be disabled using the "regexp.interruptible" JRuby option as described in the above PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment