[HBASE-20582] Bump up JRuby version because of some reported vulnerabilities - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.0.0-alpha-1, 2.1.0
Component/s: dependencies, shell
Labels:
None

Hadoop Flags:

Reviewed

Description

There are some vulnerabilities reported with two of the libraries used in HBase.

Jruby(version:9.1.10.0):
CVE-2009-5147
CVE-2013-4363
CVE-2014-4975
CVE-2014-8080
CVE-2014-8090
CVE-2015-3900
CVE-2015-7551
CVE-2015-9096
CVE-2017-0899
CVE-2017-0900
CVE-2017-0901
CVE-2017-0902
CVE-2017-0903
CVE-2017-10784
CVE-2017-14064
CVE-2017-9224
CVE-2017-9225
CVE-2017-9226
CVE-2017-9227
CVE-2017-9228

Tool somehow able to relate the vulnerability of Ruby with JRuby(Java implementation). (Jackson will be handled in a different issue.)

Not all of them directly affects HBase but elserj suggested that it is better to be on the updated version to avoid issues during an audit in security sensitive organization.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HBASE-20582.patch
14/May/18 23:00
0.9 kB
Ankit Singhal
HBASE-20582.002.patch
16/May/18 17:08
0.8 kB
Josh Elser
HBASE-20582.addendum.patch
25/May/18 22:30
0.8 kB
Josh Elser

Issue Links

is related to

HBASE-20598 Upgrade to JRuby 9.2

Closed

MENFORCER-300 Enforcer somewhat is too sensitive

Closed

Activity

People

Assignee:: Josh Elser

Reporter:: Ankit Singhal

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 14/May/18 22:58

Updated:: 17/Jun/22 17:27

Resolved:: 30/May/18 07:07