Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-20582

Bump up JRuby version because of some reported vulnerabilities

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0, 2.1.0
    • Component/s: dependencies, shell
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      There are some vulnerabilities reported with two of the libraries used in HBase.

      Jruby(version:9.1.10.0):
      CVE-2009-5147
      CVE-2013-4363
      CVE-2014-4975
      CVE-2014-8080
      CVE-2014-8090
      CVE-2015-3900
      CVE-2015-7551
      CVE-2015-9096
      CVE-2017-0899
      CVE-2017-0900
      CVE-2017-0901
      CVE-2017-0902
      CVE-2017-0903
      CVE-2017-10784
      CVE-2017-14064
      CVE-2017-9224
      CVE-2017-9225
      CVE-2017-9226
      CVE-2017-9227
      CVE-2017-9228
      

      Tool somehow able to relate the vulnerability of Ruby with JRuby(Java implementation). (Jackson will be handled in a different issue.)

      Not all of them directly affects HBase but Josh Elser suggested that it is better to be on the updated version to avoid issues during an audit in security sensitive organization.

       

        Attachments

        1. HBASE-20582.002.patch
          0.8 kB
          Josh Elser
        2. HBASE-20582.addendum.patch
          0.8 kB
          Josh Elser
        3. HBASE-20582.patch
          0.9 kB
          Ankit Singhal

          Issue Links

            Activity

              People

              • Assignee:
                elserj Josh Elser
                Reporter:
                ankit@apache.org Ankit Singhal
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: