From 3a26aa04eec79e750c36ded6dada02d4f6e095de Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Tue, 31 Mar 2026 11:09:46 +0900
Subject: [PATCH] Bump minimum jruby-openssl to 0.15.4 for CVE-2025-46551

jruby-openssl versions prior to 0.15.4 have hostname verification
disabled by default, allowing man-in-the-middle attacks with valid
certificates for different domains (GHSA-72qj-48g4-5xgx).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 openssl.gemspec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/openssl.gemspec b/openssl.gemspec
index c594c6f17..0befa5336 100644
--- a/openssl.gemspec
+++ b/openssl.gemspec
@@ -11,7 +11,7 @@ Gem::Specification.new do |spec|
   if Gem::Platform === spec.platform and spec.platform =~ 'java' or RUBY_ENGINE == 'jruby'
     spec.platform    = "java"
     spec.files       = []
-    spec.add_runtime_dependency('jruby-openssl', '~> 0.14')
+    spec.add_runtime_dependency('jruby-openssl', '~> 0.15', '>= 0.15.4')
   else
     spec.files         = Dir.glob(["lib/**/*.rb", "ext/**/*.{c,h,rb}", "*.md"], base: File.expand_path("..", __FILE__)) +
                          ["BSDL", "COPYING"]