Nihal Jain created HBASE-28968:
----------------------------------
Summary: Bump jruby to 9.4.9.0 to fix rexml CVE
Key: HBASE-28968
URL: https://issues.apache.org/jira/browse/HBASE-28968
Project: HBase
Issue Type: Task
Components: jruby, security, shell
Reporter: Nihal Jain
Assignee: Nihal Jain
Fix For: 2.7.0, 3.0.0-beta-2
As a follow up of HBASE-28249, we want to bump to latest 9.4.x line here.
This release line drops critical snakeyaml CVE ({*}org.yaml : snakeyaml :
1.33{*} having [CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471])
from our classpath with following change along with several other bugs/fixes:
* The Psych YAML library is updated to 5.1.0. This version switches the JRuby
extension to SnakeYAML Engine, avoiding CVEs against the original SnakeYAML and
updating YAML compatibility to specification version 1.2.
[#6365|https://github.com/jruby/jruby/issues/6365],
[#7570|https://github.com/jruby/jruby/issues/7570],
[#7626|https://github.com/jruby/jruby/pull/7626]
NOTE: JRuby 9.4.x targets Ruby 3.1 compatibility instead of Ruby 2.6 which
9.3.x were having!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
