Thank you! I'll cherry-pick this to 9.4 as well.

Hello, I see jruby 9.4.14.0 has been released with the cgi bump, but I can't see the 10.x release with the fix. What is the expected timeline for the 10.x branch ?

@ylecuyer For CVEs that are part of the standard library, you can simply upgrade your local copy of that gem (gem install cgi or add newer version to Gemfile, etc). We have not typically done special releases just for stdlib CVEs because of the upgrade path.

If you have a need for a "clean" release of 10.x on a shorter timeframe, get in touch with me directly and we can talk about options: headius@headius.com.

You know how security scans work, they check the whole container and flag if they find the vulnerable version (be it used or not) and cgi being a stdlib you can’t uninstall the vulnerable version afaict :(

@ylecuyer Ahh yes, I understand the problem. We will try to prioritize a JRuby 10 update release soon.

Meanwhile, perhaps you could add an entry to https://github.com/jruby/jruby/blob/master/USERS.md via a PR? We would like to do a better job of tracking who is using JRuby and how we can better serve you!