[ANN] JRuby 9.2.12.0 Released

The JRuby community is pleased to announce the release of JRuby 9.2.12.0

    Homepage: http://www.jruby.org/
    Download: http://www.jruby.org/download

JRuby 9.2.x is compatible with Ruby 2.5.x and stays in sync with C Ruby. As
always there is a mix of miscellaneous fixes so be sure to read the issue
list below. All users are encouraged to upgrade.

As we are still actively working on 9.3.0.0 we decided to put out another
9.2.x release to fix some of the more recently reported issues.
Java Integration

    The last remaining triggers of the “Illegal access” warnings and errors
in JRuby core have been fixed. JRuby will avoid accessing Java modules and
packages that have not been exported or opened. (#6195, #6287, #6298, #6299)
    A new option is added to work around the OpenJDK URLClassLoader
concurrency bug we recently reported. Set Java property
jruby.ji.close.classloader to false when embedding JRuby in a JVM
application to avoid “zip file closed” errors. This will be the default
setting in JRuby 9.3. (#6218, #6307)
    Support for calling Kotlin has improved, avoiding warniings for
companion objects. This also avoids a warning when accessing Java code
where a static final field is named the same as an inner class. (#6196,
#6289)

Concurrency

    An issue affecting concurrent generation of Java interface
implementations has been fixed. (#6160, #6167)
    Internal optimization of Ruby code has been improved to avoid
concurrency issues. (6210, #6230, #6275, 6282, #6288)

Security

A few minor security issues have been fixed. We do not consider them high
risk, but we recommend users update. (#6304)

    Numeric objects now use a per-runtime random seed to generate hash
values (CVE-2011-4815). The existing JRuby property
jruby.consistent.hashing can be set to true to restore predictable hash
values, as for other core types. (6305)
    String#unpack raised the wrong error for invalid input related to
CVE-2018-8778. There was no security issue. (#6306)
    The WEBrick HTTP server provided in the Ruby standard library has been
updated to 1.6.0, to address two issues with response-splitting and header
injection (CVE-2017-17742 and CVE-2019-16254). This server is not typically
used in production, so the exposure is limited. (#6308)

24 Github Issues resolved for 9.2.12.0

    #6308 - Update WEBrick to 1.6.0
    #6307 - Only close temporary jars to avoid poisoning global jar file
cache
    #6306 - Raise RangeError for out of bounds unpack_at
    #6305 - Mimic CRuby's numeric hashing
    #6304 - Align behavior with CRuby for security specs
    #6299 - Reflective access on Java 11
    #6298 - Do not bind methods from classes that are not exported
    #6289 - Only define static field constant when inner class collides
    #6288 - Always treat non-full IC as not having protocol
    #6287 - com.sun.javafx.collections not exported in javafx.base
    #6285 - Backport 9.3 fixes for 9.2.12
    #6282 - NPE in ruby block called concurrently from Java
    #6275 - Do lazy instruction deserialization against dup'ed reader
    #6256 - Raise proper error for missing URLResource target
    #6230 - CompiledScript throws weird exception that doesn't happen with
Invocable
    #6219 - JRuby thrown NullPointerException on File.open of nonexistent
uri
    #6218 - Errors running multiple independent ScriptingContainers in
parallel
    #6210 - Multithreaded code with function calls fail in precompiled
JRuby classes
    #6196 - "warning: already initialized constant Companion" with Kotlin
companion objects
    #6195 - Use all the tricks to properly eliminate illegal access warnings
    #6167 - [fix][ji] handle concurrent proxy iface impl init
    #6160 - interface proxy generation is race-y
    #6112 - [fix] Enumerable#any? does not require an arg
    #5968 - Enumerator#any? is wrong for sequence of empty arrays

···

--
blog: http://blog.enebo.com twitter: tom_enebo
mail: tom.enebo@gmail.com