Old version of jQuery is present in the JRuby builds #5872
Milestone
Comments
|
cc @headius |
|
As pointed out, CRuby fixed this by removing the offending files. This only affects generated rdoc. Because we do not generate rdoc by default for gem installs, I think it would be fine for us to just mimic the CRuby change for JRuby 9.2.9. |
|
CRuby removed the files directly, but we vendor the gem. I have updated it to the first safe version, rdoc 6.1.2. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was asked by the security team to open a public issue for this, it's not an urgent security issue.
This CVE ID
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Describes the following jQuery vulnerability
If you unpack the JRuby jar, jquery.js can be found here
META-INF/jruby.home/lib/ruby/stdlib/rdoc/generator/template/darkfish/js/jquery.js
In that file we see "jQuery v1.6.4".
CRuby recently fixed this by not shipping the jquery.js file anymore.
ruby/ruby@e82719c
The text was updated successfully, but these errors were encountered: