PS: I do realise that like anything else, asserting & following all this takes time, and that resources are limited - I don't feel entitled to anything, just wondering what is the current status! Thanks.

We have been monitoring the various CVEs but have not been able to review them all. In general, most CVEs for CRuby don't apply to JRuby because they involve unsafe memory accesses that are not possible on the JVM. In native code, usually only DoS-type issues will also apply to JRuby, since much of our code uses the same algorithms as CRuby.

Any CVE that affects the Ruby-based standard library merits investigation. We ship a largely-unmodified copy of CRuby's standard library. That has not been updated in the 9.1 line since around Ruby 2.3.2 timeframe, so any CVEs affecting it after that time should get incorporated. I believe we have held off updating the standard library mostly because we expected JRuby 9.2 to be finished sooner, with support for current 2.4 or 2.5 and current stdlib to go with them.

I'm going to bump this to 9.2 so we have time to review these CVEs. We could use some help figuring out which ones might affect JRuby...they hide the related commits rather well.

Reviewing the releases mentioned, plus all releases after 2.5.1. Some of these have specs in ruby/spec/security, which we pass (except one failure for Array#pack tainting which we do not support and which is deprecated in Ruby). Note that these likely have the same status on 9.2 (which also tracks latest stdlib and gems) but a separate review should be done. I review 9.3 for pre-release here.

Individually reviewing the various security disclosures below:

• CVE-2017-17742: HTTP response splitting in WEBrick
• CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
• CVE-2018-8777: DoS by large request in WEBrick
• CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick’s Digest access authentication
• CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
• CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick

JRuby tracks latest WEBrick gem in 9.3 and uses it without modification. We will do a final update before release. CVE-2017-17742 is also tested by a security spec.

• CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
• CVE-2021-28966: Path traversal in Tempfile on Windows

JRuby reuses relevant portions of CRuby's tempfile library (recently updated and will be updated again before release) with a native implementation of Tempfile itself based on IO. CVE-2018-6914 is also tested in specs. CVE-2021-28966 involves the tmpdir library, which JRuby tracks from CRuby's 2.6 HEAD.

• CVE-2018-8778: Buffer under-read in String#unpack

Largely applies only to the C implementation, but is also tested in specs.

• CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
• CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
• CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?

NUL bytes do not leak out to native calls in most cases in JRuby. In addition, the Dir and File functionality is provided by JDK APIs that are also safe. CVE-2018-8779 and CVE-2018-8780 are tested in specs.

• Multiple vulnerabilities in RubyGems
• Unsafe Object Deserialization Vulnerability in RubyGems

JRuby tracks latest RubyGems and was updated recently (#6533)

• CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
• CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode

Buffer underruns will result in JVM exceptions on JRuby and do not constitute a memory vulnerability (and we did not have these bugs to begin with).

• CVE-2013-0269 Denial of Service and Unsafe Object Creation Vulnerability in JSON
• CVE-2017-14064: Heap exposure vulnerability in generating JSON
• CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix)

JRuby is unaffected due to the impossibility of exposing raw heap state to the Java-based JSON extension. We also track the latest json gem, which has a Java implementation for JRuby less subject to memory vulnerabilities.

• Updated bundled libyaml to version 0.1.7

JRuby implements Psych (which wraps libyaml in CRuby) using SnakeYAML, and is current as of recent releases of Psych.

• CVE-2017-17405: Command injection vulnerability in Net::FTP

JRuby tracks the latest net-ftp gem.

• CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives

This is the aforementioned failure in security specs. Tainting is no longer a supported feature, even in CRuby.

• CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly

JRuby was unaffected and passes the relevant tests, added in 9619fca.

• Multiple jQuery vulnerabilities in RDoc

JRuby tracks the latest rdoc gem.

• CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test

JRuby tracks the latest shell gem.

• CVE-2020-10933: Heap exposure vulnerability in the socket library

Another case where the JVM protects us from exposing the raw heap. JRuby's socket library largely uses JDK sockets in 9.3.

• CVE-2021-28965: XML round-trip vulnerability in REXML

JRuby tracks the latest rexml gem.

Given that all CVEs to date appear to be addressed by using latest gems, latest copies from stdlib, or involve C-level vulnerabilities, I am calling this one fixed as of 9.3.

Great work, thanks @headius!