Request: Update net-imap to 0.5.8 in JRuby 10.x to fix CVE in 0.5.6 #8839
-
|
We are currently using JRuby 10.x.x.x and noticed that it includes net-imap version 0.5.6, which has a known vulnerability (CVE-2025-25186 – [https://www.cve.org/CVERecord?id=CVE-2025-25186]). We see that version 0.5.8 of net-imap has been released, which addresses this issue. Could you please share whether there's a plan or timeline to upgrade the bundled net-imap gem in the JRuby 10.x.x.x release series? If there's a recommended workaround in the meantime, that would also be helpful to know. Thanks in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 6 replies
-
|
We have done the update already in #8826 but have not yet released a new distribution of JRuby 10. In the interim you should be able to uninstall the bad version and install the fixed version on any standard JRuby distribution. We will probably have a release of JRuby 10.0.1 with this fixed net-imap by the end of May. |
Beta Was this translation helpful? Give feedback.
-
|
Which files specifically are you seeing that remain after uninstalling? Perhaps the .gem file? You should be able to uninstall from the shared path if it is writable. |
Beta Was this translation helpful? Give feedback.
-
|
|
Beta Was this translation helpful? Give feedback.
-
|
@sathish-krishnamurthy Thank you for the information. I figured you must be using a security-scanning package that is detecting the old files. And it is a good thing too, because something is not right! Unfortunately it appears there's a small bug in our build process; net-imap is supposed to be only a bundled gem, available under the I will switch this discussion to a bug and we'll get that fixed. For now you should be able to safely delete the rogue net-imap files:
The gem uninstall process should take care of the other files under lib/ruby/gems/shared as you have seen. Sorry for the inconvenience, but at least now we can fix this dist issue! |
Beta Was this translation helpful? Give feedback.
-
|
Thank you @headius 👍 , We have removed from stdlib. And workaround may not be possible, as the scan also identifies an older version of net-imap within the jruby-jars gem. :) |
Beta Was this translation helpful? Give feedback.
-
|
@sathish-krishnamurthy Yeah the jruby-jars gem and the jruby-complete and jruby-stdlib maven artifacts are more difficult to fix, unfortunately. jruby-jars contains jruby-core (all Java dependencies) plus jruby-stdlib, and jruby-complete contains both of those in one archive. We'll try to prioritize getting a release out next week. |
Beta Was this translation helpful? Give feedback.
We have done the update already in #8826 but have not yet released a new distribution of JRuby 10. In the interim you should be able to uninstall the bad version and install the fixed version on any standard JRuby distribution.
We will probably have a release of JRuby 10.0.1 with this fixed net-imap by the end of May.