Update dependency org.jruby:jruby to v9.4.12.1 [SECURITY]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
org.jruby:jruby	9.4.9.0 → 9.4.12.1

---

JRuby-OpenSSL has hostname verification disabled by default

CVE-2025-46551 / GHSA-72qj-48g4-5xgx

More information

Details

Summary

When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present any valid cert for a completely different domain they own, and JRuby wouldn't complain.

Details

n/a

PoC

An example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with certificate verify failed (hostname mismatch), but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3

require "net/http"
require "openssl"

uri   = URI("https://bad.substitutealert.com/")
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl      = true
https.verify_mode  = OpenSSL::SSL::VERIFY_PEER

body = https.start { https.get(uri.request_uri).body }
puts body

Impact

Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely

Severity

• CVSS Score: 5.7 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

References

• https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx
• https://github.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a055
• https://nvd.nist.gov/vuln/detail/CVE-2025-46551
• https://github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jruby-openssl/CVE-2025-46551.yml
• https://github.com/advisories/GHSA-72qj-48g4-5xgx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

jruby/jruby (org.jruby:jruby)

v9.4.12.1: JRuby 9.4.12.1 Released

Compare Source

The JRuby community is pleased to announce the release of JRuby 9.4.12.1.

• Homepage: https://www.jruby.org/
• Download: https://www.jruby.org/download

JRuby 9.4.12.x targets Ruby 3.1 compatibility.

Security

• jruby-openssl has been updated to 0.15.4, which re-enables hostname verification by default. This addresses CVE-2025-46551 and GHSA-72qj-48g4-5xgx.

v9.4.12.0: JRuby 9.4.12.0 Released

Compare Source

The JRuby community is pleased to announce the release of JRuby 9.4.12.0.

• Homepage: https://www.jruby.org/
• Download: https://www.jruby.org/download

JRuby 9.4.12.x targets Ruby 3.1 compatibility.

Thank you to our contributors this release, you help keep JRuby moving forward!

Critical Fixes

• Added additional locking to the new Class#subclasses implementation to fix a concurrent modification error. #​8602, #​8603

Standard Library

• jar-dependencies upgraded to 0.5.4 to fix an issue parsing Maven output on Java versions 9 and higher. #​8606, [#​8515]

4 Issues and PRs resolved for 9.4.12.0

• #​8602 ConcurrentModificationException in subclasses map
• #​8603 Ensure subclass set prevents concurrent modification
• #​8606 No such file or directory snakeyaml-engine-2.9.jar in JRuby 9.4.11.0
• #​8615 Use jar-dependencies 0.5.4

v9.4.11.0: JRuby 9.4.11.0 Released

Compare Source

The JRuby community is pleased to announce the release of JRuby 9.4.11.0.

• Homepage: https://www.jruby.org/
• Download: https://www.jruby.org/download

JRuby 9.4.11.x targets Ruby 3.1 compatibility. This release fixes two critical bugs in JRuby 9.4.10.0 and we recommend users skip that version when upgrading.

Thank you to our contributors this release, you help keep JRuby moving forward!

• Karol Bucek @​kares

Critical Fixes

• Fixed an issue where Mutex lock acquisition may leave the Mutex locked if an asynchronous Thread interrupt happens at the same time. #​8585, #​8586
• Fixed a memory leak where singleton classes would leave behind bookkeeping objects that accumulated over time. #​8591, #​8598

Standard Library

• rubygems been updated to version 3.6.3 to fix an incompatibility with bundler 2.6. #​8590, #​8596
• bundler has been updated to version 2.6.3. #​8596
• jruby-openssl has been updated to 0.15.3. #​8458, Release 0.15.3
• jar-dependencies has been updated to 0.5.3 to fix remaining issues loading Maven jars in containerized environments. #​8593, #​8595

9 Issues and PRs resolved for 9.4.11.0

• #​8458 [deps] bump jruby-openssl to 0.15.3
• #​8584 Remove dependency on jakarta.annotation-api
• #​8585 Thread interrupt can leave Mutex locked in synchronize
• #​8586 Unlock if poll triggers an exception
• #​8590 Bundler v2.6.x is incomptible with Gem system version included in JRuby 9.4.10.0 by default
• #​8591 Eliminate leak of non-concrete subclass references
• #​8593 Cannot create a Rails app with JRuby 9.4.10.0, Rails 7.1.5.1
• #​8595 Update jar-dependencies to 0.5.3
• #​8596 Update rubygems to 3.6.3 and bundler to 2.6.3
• #​8598 Memory leak from ActiveRecord_Relation after upgrading from JRuby 9.4.9.0 to 9.4.10.0

v9.4.10.0: JRuby 9.4.10.0 Released

Compare Source

The JRuby community is pleased to announce the release of JRuby 9.4.10.0.

• Homepage: https://www.jruby.org/
• Download: https://www.jruby.org/download

JRuby 9.4.x targets Ruby 3.1 compatibility.

Thank you to our contributors this release, you help keep JRuby moving forward!

• Dani Smith @​danini-the-panini
• Karol Bucek @​kares
• mrnoname1000 @​mrnoname1000

Ruby Compatibility

• Fixed a NegativeArraySizeException crash parsing heredocs. #​8355, #​8557
• Users can now opt into Ruby 3.3 behavior for NoMethodError and NameError that no longer inspects the target object. This inspect frequently led to memory issues. Specify JRuby flag -XnameError.inspect.object=false or JVM property jruby.nameError.inspect.object=false to disable the inspect call. #​216, #​8384, #​8538
• Implemented the missing Process.argv0 method, used by recent Bundler releases. #​8568, #​8570

Standard Library

• The jar-dependencies gem, responsible for fetching jar file dependencies of Ruby gems, can now be updated independently of JRuby. #​7262, #​8488, #​8502
• An upcoming release of jar-dependencies, will fix issues sourcing jar dependencies in container deployments (partially fixed previously by an updated ruby-maven-libs gem). #​7059, #​8366
• The psych gem is updated to version 5.2.3, including a fix for YAML aliases from SnakeYAML-Engine version 2.9. #​8352, #​8575
• The reline gem is updated to 0.5.12. #​8481

Java Integration

• Only JVM classes imported from the same classloader hierarchy as JRuby will be bound to constants in JRuby's package hierarchy. #​8156
• Implementing a Java interface no longer leads to constant redefinition warnings. #​8349, #​8503
• Precompiled Ruby scripts now properly prepare optimized homogeneous case/when statements. Previously they would deserialize incorrectly and garble the branches. #​8421, #​8424

Performance and Usability

• Additional runtime data structures are eagerly cleared when tearing down a JRuby runtime, aiding GC. #​8343, #​8566
• The JRuby shell-based launcher script now properly handles JRuby installed in a path with spaces. #​8441, #​8442
• The Class#subclasses method has been optimized to eliminate it as a bottleneck in complex ActiveRecord STI queries. #​8457, #​8462
• Integer multiplication operations that overflow outside of int64 range have been optimized to eliminate heavy exception raises. #​8516, #​8523

Issues and PRs resolved for 9.4.10.0

• #​7059 Issue of Jar dependency with Jruby-9.3.3.0
• #​7262 jar-dependencies cannot be updated out-of-band from jruby
• #​8156 JRuby adds Java proxy classes to the Java module even if they are not from JRubyClassLoader
• #​8343 Free up memory memory used by JRuby during teardown
• #​8349 internal proxy class is stored in Ruby land and prints warning
• #​8352 Cyclic references in Set objects raise exception with YAML#load
• #​8355 NegativeArraySizeException while parsing Heredoc in irb in JRuby 9.4.8.0
• #​8366 Jruby 9.4.8.0 fails to install psych
• #​8384 OutOfMemoryError while constructing a NameError in the context of a large object
• #​8398 ruby2_keywords + forwarding to native does not properly check arity
• #​8412 Intermittent exceptions with 'Java::JavaLang::NoClassDefFoundError : org/jruby/gen/RubyObject13'
• #​8415 Skip extension builds for default gems
• #​8416 [Possible bug] Can not start jruby-swing applications since 9.4.9.0 - or rather, the window auto-closes almost instantly
• #​8417 Trivial refactoring for match
• #​8421 Incorrect case tree selection when comparing long Symbols during compiled Ruby code execution
• #​8424 Sort the jump tables based on new values
• #​8425 Don't clear the ThreadGroup when Thread terminates
• #​8431 jruby/thread_dump.rb seems to be broken
• #​8433 Root specialized object classloader at JRuby classloader
• #​8436 Pass Enumerable#uniq arguments properly
• #​8438 Remove rogue exit(0) that shuts down JVM
• #​8441 Spaces in the path cause bin/jruby script to build an invalid command string
• #​8442 jruby.sh: Use array to handle option files
• #​8457 Class#subclasses slows down with larger sets
• #​8462 Optimize Class#subclasses
• #​8466 jirb 9.4.9.0 - reline "cannot convert parameter to native pointer"
• #​8469 fix --jdb -sourcepath command
• #​8477 Update to jar-dependencies 0.5.0
• #​8478 Avoid re-polling while reporting a Thread#raise
• #​8479 Thread interrupt requests can overwrite each other
• #​8480 Provide concrete-only traversal for Class#subclasses
• #​8481 Update reline to 0.5.12
• #​8488 Issues bundling psych related to the jar-dependencies bump
• #​8502 Avoid loading jar-dependencies to install gem hook
• #​8503 [ji] do not expose InterfaceImpl classes in Ruby land
• #​8511 Update to jruby-maven-plugins 3.0.4
• #​8512 Disable Maven download progress output on CI jobs
• #​8515 Update jruby-maven-plugins to 3.0.5
• #​8516 Strange performance difference?
• #​8523 Revert multiply to use non-intrinsic exactness checks
• #​8538 Backport no-inspect NameError logic
• #​8557 Fixes #​8355: wallpaper crash in heredoc eof error
• #​8562 Use same logic as IR for kwarg handling in IO#write
• #​8566 Additional teardown to aid GC and release resources
• #​8567 Update thread dump hook for modern JRuby
• #​8568 Process.argv0 missing
• #​8570 Add Process.argv0
• #​8571 Update to jcodings 1.0.59
• #​8572 Use warning instead of warning when adding attr as module_function
• #​8573 Update jcodings to 1.0.61 and joni to 2.2.3
• #​8575 Update psych to 5.2.3

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.