Old version of jQuery is present in the JRuby builds

[joshbressers]

I was asked by the security team to open a public issue for this, it's not an urgent security issue.

This CVE ID
https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Describes the following jQuery vulnerability

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

If you unpack the JRuby jar, jquery.js can be found here
META-INF/jruby.home/lib/ruby/stdlib/rdoc/generator/template/darkfish/js/jquery.js

In that file we see "jQuery v1.6.4".

CRuby recently fixed this by not shipping the jquery.js file anymore.
ruby/ruby@e82719c

[joshbressers]

cc @headius

[headius]

As pointed out, CRuby fixed this by removing the offending files.

This only affects generated rdoc. Because we do not generate rdoc by default for gem installs, I think it would be fine for us to just mimic the CRuby change for JRuby 9.2.9.

[headius]

CRuby removed the files directly, but we vendor the gem. I have updated it to the first safe version, rdoc 6.1.2.