Details
-
Task
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
Incompatible change, Reviewed
-
Description
As a follow up of HBASE-28249, we want to bump to latest 9.4.x line here.
This release line drops critical snakeyaml CVE (org.yaml : snakeyaml : 1.33 having CVE-2022-1471) from our classpath with following change along with several other bugs/fixes:
- The Psych YAML library is updated to 5.1.0. This version switches the JRuby extension to SnakeYAML Engine, avoiding CVEs against the original SnakeYAML and updating YAML compatibility to specification version 1.2. #6365, #7570, #7626
NOTE: JRuby 9.4.x targets Ruby 3.1 compatibility instead of Ruby 2.6 which 9.3.x were having!
Attachments
Issue Links
- is a clone of
-
HBASE-28249 Bump jruby to 9.3.13.0 and related joni and jcodings to 2.2.1 and 1.0.58 respectively
- Resolved
- is cloned by
-
HBASE-28968 Bump jruby to 9.4.9.0 to fix rexml CVE
- Patch Available
- is related to
-
HBASE-27921 Bump up jruby to 9.4.2.0 and related joni and jcodings to 2.1.48 and 1.0.58 respectively
- Resolved
-
HBASE-28864 NoMethodError undefined method assignment_expression?
- Resolved
- links to