Bump minimum jruby-openssl to 0.15.4 for CVE-2025-46551

hsbt · claude · hsbt · commit 3a26aa04eec7 · 2026-03-31T11:09:46.000+09:00
jruby-openssl versions prior to 0.15.4 have hostname verification disabled by default, allowing man-in-the-middle attacks with valid certificates for different domains (GHSA-72qj-48g4-5xgx). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/openssl.gemspec b/openssl.gemspec
@@ -11,7 +11,7 @@ Gem::Specification.new do |spec|
   if Gem::Platform === spec.platform and spec.platform =~ 'java' or RUBY_ENGINE == 'jruby'
     spec.platform    = "java"
     spec.files       = []
-    spec.add_runtime_dependency('jruby-openssl', '~> 0.14')
+    spec.add_runtime_dependency('jruby-openssl', '~> 0.15', '>= 0.15.4')
   else
     spec.files         = Dir.glob(["lib/**/*.rb", "ext/**/*.{c,h,rb}", "*.md"], base: File.expand_path("..", __FILE__)) +
                          ["BSDL", "COPYING"]
