JRuby Released

Wednesday, July 01 2020

The JRuby community is pleased to announce the release of JRuby

JRuby 9.2.x is compatible with Ruby 2.5.x and stays in sync with C Ruby. As always there is a mix of miscellaneous fixes so be sure to read the issue list below. All users are encouraged to upgrade.

As we are still actively working on we decided to put out another 9.2.x release to fix some of the more recently reported issues.

Java Integration

  • The last remaining triggers of the “Illegal access” warnings and errors in JRuby core have been fixed. JRuby will avoid accessing Java modules and packages that have not been exported or opened. (#6195, #6287, #6298, #6299)
  • A new option is added to work around the OpenJDK URLClassLoader concurrency bug we recently reported. Set Java property jruby.ji.close.classloader to false when embedding JRuby in a JVM application to avoid “zip file closed” errors. This will be the default setting in JRuby 9.3. (#6218, #6307)
  • Support for calling Kotlin has improved, avoiding warniings for companion objects. This also avoids a warning when accessing Java code where a static final field is named the same as an inner class. (#6196, #6289)


  • An issue affecting concurrent generation of Java interface implementations has been fixed. (#6160, #6167)
  • Internal optimization of Ruby code has been improved to avoid concurrency issues. (6210, #6230, #6275, 6282, #6288)


A few minor security issues have been fixed. We do not consider them high risk, but we recommend users update. (#6304)

  • Numeric objects now use a per-runtime random seed to generate hash values (CVE-2011-4815). The existing JRuby property jruby.consistent.hashing can be set to true to restore predictable hash values, as for other core types. (6305)
  • String#unpack raised the wrong error for invalid input related to CVE-2018-8778. There was no security issue. (#6306)
  • The WEBrick HTTP server provided in the Ruby standard library has been updated to 1.6.0, to address two issues with response-splitting and header injection (CVE-2017-17742 and CVE-2019-16254). This server is not typically used in production, so the exposure is limited. (#6308)

24 Github Issues resolved for

  • #6308 - Update WEBrick to 1.6.0
  • #6307 - Only close temporary jars to avoid poisoning global jar file cache
  • #6306 - Raise RangeError for out of bounds unpack_at
  • #6305 - Mimic CRuby's numeric hashing
  • #6304 - Align behavior with CRuby for security specs
  • #6299 - Reflective access on Java 11
  • #6298 - Do not bind methods from classes that are not exported
  • #6289 - Only define static field constant when inner class collides
  • #6288 - Always treat non-full IC as not having protocol
  • #6287 - com.sun.javafx.collections not exported in javafx.base
  • #6285 - Backport 9.3 fixes for 9.2.12
  • #6282 - NPE in ruby block called concurrently from Java
  • #6275 - Do lazy instruction deserialization against dup'ed reader
  • #6256 - Raise proper error for missing URLResource target
  • #6230 - CompiledScript throws weird exception that doesn't happen with Invocable
  • #6219 - JRuby thrown NullPointerException on File.open of nonexistent uri
  • #6218 - Errors running multiple independent ScriptingContainers in parallel
  • #6210 - Multithreaded code with function calls fail in precompiled JRuby classes
  • #6196 - "warning: already initialized constant Companion" with Kotlin companion objects
  • #6195 - Use all the tricks to properly eliminate illegal access warnings
  • #6167 - [fix][ji] handle concurrent proxy iface impl init
  • #6160 - interface proxy generation is race-y
  • #6112 - [fix] Enumerable#any? does not require an arg
  • #5968 - Enumerator#any? is wrong for sequence of empty arrays