I'm maintaining Ruby installations for a client on a regular basis (including both MRI & JRuby on various servers).

MRI got multiple releases to cover multiple CVEs:

• https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/
• https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/
• https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/
• https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/

Before that, MRI got other fixes recently:

• https://www.ruby-lang.org/en/news/2017/12/14/ruby-2-3-6-released/
• https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/

I wondered what the situation is for JRuby with regard to the related CVEs.

The JRuby security page doesn't mention recent CVEs, and the news page hasn't had one for a while if I'm not mistaken.

Does this means that JRuby is unaffected (e.g. if it uses different, underlying JVM components rather than pure Ruby code), or that the evaluation hasn't necessarily been conducted so situation is unknown?

I don't know if opening an issue is the way to go for this, but I thought it is worth clarifying, so this could start a discussion!

Thanks for your work on JRuby.