Fedora has jruby 1.7.2 which contains known CVEs and fixed in version 1.7.3 http://www.jruby.org/2013/02/21/jruby-1-7-3.html . Meantime 1.7.4 is released and it's probably best to update to it directly.
Thanks for this, Alexander. The two CVEs that are corrected are CVE-2013-0269 and CVE-2013-1821. I'm going to link those bugs and turn this into a tracking bug. I've looked on the upstream page and can't see anything about 1.6.x being affected by these, but it wouldn't surprise me if they were, so this may be an issue for Fedora 17 and 18 as well (unknown).
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.
More information and reason for this action is here:
You plan to fix this soon?
Hey pjp, I haven't worked on this in a while, msrb took over jruby packaging. From the looks of it though it seems the build has been updated in rawhide:
This bug is filed against F20 but I doubt that the build will be able to be backported there due to missing and incompatible dependencies. Closing as on rawhide.