Bug 253822 - lang/jruby: Update to
Summary: lang/jruby: Update to
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Koichiro Iwao
Depends on:
Blocks: 250731
  Show dependency treegraph
Reported: 2021-02-24 20:08 UTC by Thomas Hurst
Modified: 2021-04-07 14:01 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (ruby)

Patch lang/jruby to (38.15 KB, patch)
2021-02-24 20:08 UTC, Thomas Hurst
no flags Details | Diff
Patch lang/jruby to (39.46 KB, patch)
2021-03-03 21:52 UTC, Thomas Hurst
no flags Details | Diff
Patch lang/jruby to (40.46 KB, patch)
2021-03-29 19:52 UTC, Thomas Hurst
tom: maintainer-approval? (ruby)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Hurst 2021-02-24 20:08:41 UTC
Created attachment 222797 [details]
Patch lang/jruby to

This includes fixes for various security issues, in particular:

* CVE-2011-4815 (predictable hashing DoS)
* CVE-2017-17742, CVE-2019-16254, CVE-2020-25613 (WeBrick request smuggling/splitting)
* CVE-2017-18640 (SnakeYAML entity expansion DoS)

As well as fixes for File.stat/lstat on FreeBSD 12 and later, which previously rendered JRuby unusable on these systems.

Port passes portlint and poudriere testport.
Comment 1 Thomas Hurst 2021-03-03 19:54:43 UTC
An update to will follow shortly.
Comment 2 Thomas Hurst 2021-03-03 21:52:26 UTC
Created attachment 222956 [details]
Patch lang/jruby to
Comment 3 Thomas Hurst 2021-03-29 19:52:40 UTC
Created attachment 223687 [details]
Patch lang/jruby to
Comment 4 commit-hook freebsd_committer freebsd_triage 2021-04-07 10:43:51 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8147a5a7044e7a055288252731de647ca5e4ecd1

commit 8147a5a7044e7a055288252731de647ca5e4ecd1
Author:     Koichiro Iwao <meta@FreeBSD.org>
AuthorDate: 2021-04-07 10:37:06 +0000
Commit:     Koichiro Iwao <meta@FreeBSD.org>
CommitDate: 2021-04-07 10:42:46 +0000

    lang/jruby: Update to

    CVEs are fixed at

    PR:             253822
    Reported by:    Thomas Hurst <tom@hur.st>
    Relnotes:       https://www.jruby.org/2021/03/29/jruby-9-2-17-0.html
    Security:       CVE-2011-4815
    Security:       CVE-2017-17742
    Security:       CVE-2019-16254
    Security:       CVE-2020-25613
    Security:       CVE-2017-18640

 lang/jruby/Makefile  |   3 +-
 lang/jruby/distinfo  |   6 +-
 lang/jruby/pkg-plist | 357 ++++++++++++++++++++++++++++++---------------------
 3 files changed, 213 insertions(+), 153 deletions(-)
Comment 5 Koichiro Iwao freebsd_committer freebsd_triage 2021-04-07 14:01:44 UTC
Committed, thanks!