included jruby version is vulnerable due to snakeyaml dependency

[derekhillhp]

Issue #1141 which lists upgrading jruby to version 9.4.1.0, but that doesn't appear to be included in the latest release of 2.5.9. According to the change log:

~/Downloads/asciidoctorj-2.5.9$ cat CHANGELOG.adoc |grep -i jruby

• Upgrade to jruby 9.3.10.0 (Update jruby to 9.3.9.0 or 9.3.10.0 to resolve CVEs #1138) (@alexlevinfr)
• Upgrade to JRuby 9.3.8.0 (Upgrade to JRuby 9.3.8.0 #1117)
• Upgrade to JRuby 9.3.4.0 (Update versions of Gradle, JRuby and frameworks for integration tests. #1085)
• Upgrade to jruby 9.2.20.1 (Upgrade to asciidoctor 2.0.17 #1074)
• Upgrade to jruby 9.2.17.0 (Upgrade asciidoctorj-diagram to 2.1.2, jruby to 9.2.17.0 and gradle t… #1004)
• Upgrade to jruby 9.2.14.0 (Upgrade version asciidoctorj-pdf, asciidoctorj-diagram and asciidocto… #986)
  • Upgrade to JRuby 9.2.13.0 (Upgrade JRuby to 9.1.13.0 #948)
• Upgrade to JRuby 9.2.12.0 removing the last illegal access warnings (Upgrade to jruby-9.2.12.0 #935)
• Upgrade to JRuby 9.2.11.1
• Upgrade to jruby-gradle-plugin 2.0.0
• Upgrade to JRuby 9.2.8.0 (@ahus1) (upgrade jruby to 9.2.8.0 as it fixed some assertions bugs #850)
• Upgrade to JRuby 9.2.9.0
• Remove exception protection from LogHandler in JRubyAsciidoctor to align behaviour with AbstractConverter (@abelsromero) (fixes #842 - allow LogHandlers to break conversion throwing an exception #844)
• Upgrade to JRuby 9.2.7.0 (Update jruby to 9.2.7.0 #796)
• Upgrade to JRuby 9.2.6.0. This version of AsciidoctorJ is incompatible with any version of JRuby <= 9.2.5.0
• Fix jruby-maven-plugin and upstream build (@mkristian) (fix jruby-maven-plugin and build of gem #777)

The latest versoin included is 9.3.10.0 which still has some CVE's against it. As a matter of fact, the latest version of jruby is 9.4.2.0 which was released about 3 months ago. https://github.com/jruby/jruby/releases/tag/9.4.2.0

Is it possible to update to the latest version of jruby 9.4.2.0 and re-issue a new version of asciidoctorj. We are trying to resolve the persistent snakeyaml vulnerabilities which are being pulled in by older versions of jruby.

[abelsromero]

Issue #1141 which lists upgrading jruby to version 9.4.1.0, but that doesn't appear to be included in the latest release of 2.5.9.

That PR is for the main branch which is targeting v3.0.0, version v2.5.9 is in branch v2.5.x.

Is it possible to update to the latest version of jruby 9.4.2.0

Yes, I'll prepare a PR. No issue at all.

and re-issue a new version of asciidoctorj

That's to be confirmed. But checking the JRuby History, I see we are "affected" by https://nvd.nist.gov/vuln/detail/CVE-2022-38751. However, we do not do any yaml parsing, and as such the CVE could be dismissed in case that's an option in the meantime.

[derekhillhp]

Thanks for the update and fast response. Much appreciated.

[robertpanzer]

A new version of AsciidoctorJ with a more recent version of JRuby was released.