[jira] [Commented] (HBASE-20582) Bump up the Jackson and Jruby version because of some reported vulnerabilities

Tue, 15 May 2018 11:05:30 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-20582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16476270#comment-16476270
 ] 

Josh Elser commented on HBASE-20582:
------------------------------------

{quote}that only works if we ensure nothing we have is exposed by the Java 
Services API in a way that the end user might change the mix of runtime stuff. 
we might do that. I'm not sure. there's definitely no test for it in place.
{quote}
Ah, good point. I'd apt to agree with you.
{quote}I was hoping for your "we don't need to handle json here" solution to 
pan out.
{quote}
Yeah, I hear you. I guess we could roll our own toString() implementations for 
the Operations instead of Jackson (or anything else).

Seems like the overall consensus is that we aren't concerned enough about these 
dependencies to bump these dependencies right now? If that's the case, we can 
just make this change in Master, and work towards pulling out Jackson (JSON) 
entirely from hbase-client as a separate task. Thoughts?

> Bump up the Jackson and Jruby version because of some reported vulnerabilities
> ------------------------------------------------------------------------------
>
>                 Key: HBASE-20582
>                 URL: https://issues.apache.org/jira/browse/HBASE-20582
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ankit Singhal
>            Assignee: Ankit Singhal
>            Priority: Major
>             Fix For: 2.1.0
>
>         Attachments: HBASE-20582.patch
>
>
> There are some vulnerabilities reported with two of the libraries used in 
> HBase.
> {code}
> Jackson(version:2.9.2):
> CVE-2017-17485
> CVE-2018-5968
> CVE-2018-7489
> Jruby(version:9.1.10.0):
> CVE-2009-5147
> CVE-2013-4363
> CVE-2014-4975
> CVE-2014-8080
> CVE-2014-8090
> CVE-2015-3900
> CVE-2015-7551
> CVE-2015-9096
> CVE-2017-0899
> CVE-2017-0900
> CVE-2017-0901
> CVE-2017-0902
> CVE-2017-0903
> CVE-2017-10784
> CVE-2017-14064
> CVE-2017-9224
> CVE-2017-9225
> CVE-2017-9226
> CVE-2017-9227
> CVE-2017-9228
> {code}
> Tool somehow able to relate the vulnerability of Ruby with JRuby(Java 
> implementation).
> Not all of them directly affects HBase but [~elserj] suggested that it is 
> better to be on the updated version to avoid issues during an audit in 
> security sensitive organization.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to