Update vendored cgi gem

[donoghuc]

The vendored (default) cgi gem

jruby/lib/pom.rb

Line 23 in e392391

['cgi', '0.4.1'],

has a reported CVE https://nvd.nist.gov/vuln/detail/CVE-2025-27220.

Several patched releases of cgi are available https://rubygems.org/gems/cgi/versions. It looks like MRI ruby is going with 0.4.2 https://stdgems.org/. Perhaps that is the best path?

In general what is the strategy for default gems in jruby? Are they meant to track a specific ruby major/minor?

For example in the jruby 9.4 stream would the default gems track those in ruby 3.1? Or ruby 3.y?

[headius]

We are generally conservative with older versions like jruby 9.4 supporting 3.1 and try to stick to the same versions of gem that MRI ships with, but we would obviously make an exception when there's security issues. With 3.1 being EOL, are they releasing an update with a newer CGI?

[headius]

They did release 3.1.7 with this security fix: https://www.ruby-lang.org/en/news/2025/03/26/ruby-3-1-7-released/

We'll do the same for JRuby 9.4.14.0.

[headius]

Updates for 9.4.14.0 in #8966.

[headius]

JRuby 10.0.2.0 already includes cgi 0.4.2 with the CVE fixes so I believe we're good there.

[headius]

JRuby 9.4.14.0 should be coming this week or next!

[donoghuc]

Thanks!