[ https://issues.apache.org/jira/browse/HBASE-20582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16490139#comment-16490139 ]
Sean Busbey edited comment on HBASE-20582 at 5/25/18 2:34 AM: -------------------------------------------------------------- I haven't convinced myself that the enforcer plugin is wrong. I'd like to try to find their discussion of it somewhere but haven't had a chance to dig for it yet. I left a comment on JRuby#4899, just to make sure they're aware that this is still a thing. I think maybe for now we go to the latest JRuby version that doesn't have this issue and then wait for an update? From poking around it looks like JRuby 9.1.13.0 is the last enforcer-blessed release. everything after that has a module-info.class file. was (Author: busbey): I haven't convinced myself that the enforcer plugin is wrong. I'd like to try to find their discussion of it somewhere but haven't had a chance to dig for it yet. I left a commend on JRuby#4899, just to make sure they're aware that this is still a thing. I think maybe for now we go to the latest JRuby version that doesn't have this issue and then wait for an update? From poking around it looks like JRuby 9.1.13.0 is the last enforcer-blessed release. everything after that has a module-info.class file. > Bump up JRuby version because of some reported vulnerabilities > -------------------------------------------------------------- > > Key: HBASE-20582 > URL: https://issues.apache.org/jira/browse/HBASE-20582 > Project: HBase > Issue Type: Bug > Components: dependencies, shell > Reporter: Ankit Singhal > Assignee: Josh Elser > Priority: Major > Fix For: 3.0.0, 2.1.0 > > Attachments: HBASE-20582.002.patch, HBASE-20582.patch > > > There are some vulnerabilities reported with two of the libraries used in > HBase. > {code:java} > Jruby(version:9.1.10.0): > CVE-2009-5147 > CVE-2013-4363 > CVE-2014-4975 > CVE-2014-8080 > CVE-2014-8090 > CVE-2015-3900 > CVE-2015-7551 > CVE-2015-9096 > CVE-2017-0899 > CVE-2017-0900 > CVE-2017-0901 > CVE-2017-0902 > CVE-2017-0903 > CVE-2017-10784 > CVE-2017-14064 > CVE-2017-9224 > CVE-2017-9225 > CVE-2017-9226 > CVE-2017-9227 > CVE-2017-9228 > {code} > Tool somehow able to relate the vulnerability of Ruby with JRuby(Java > implementation). (Jackson will be handled in a different issue.) > Not all of them directly affects HBase but [~elserj] suggested that it is > better to be on the updated version to avoid issues during an audit in > security sensitive organization. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)