More information about this security flaw is available in the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=2364868 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
There is jruby-complete.jar included in the release tarball, which might be vulnerable. But I don't think it is used for purpose of this package. Therefore selenium-manager is not vulnerable and this is NOTABUG. But given the .jar file size, it would IMHO make sense to omit it from the source tarball.
The jruby-complete.jar file was removed from shipped tarball, in latest update (update to version 4.34.0).
FEDORA-2025-89abd49c4a (selenium-manager-4.34.0-2.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-89abd49c4a
FEDORA-2025-dda04d7a84 (selenium-manager-4.34.0-2.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-dda04d7a84
FEDORA-2025-dda04d7a84 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-dda04d7a84` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-dda04d7a84 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-89abd49c4a has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-89abd49c4a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-89abd49c4a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-dda04d7a84 (selenium-manager-4.34.0-2.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-89abd49c4a (selenium-manager-4.34.0-2.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.
(In reply to TomasJuhasz from comment #2) > The jruby-complete.jar file was removed from shipped tarball, in latest > update (update to version 4.34.0). Thanks. However, checking the actual change, this is usually better to handle by some custom script, which is part of the repository. This helps with reproducibility. Description in README is nice, but not enough.