[
https://issues.apache.org/jira/browse/HBASE-20582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16490139#comment-16490139
]
Sean Busbey edited comment on HBASE-20582 at 5/25/18 2:34 AM:
--------------------------------------------------------------
I haven't convinced myself that the enforcer plugin is wrong. I'd like to try
to find their discussion of it somewhere but haven't had a chance to dig for it
yet.
I left a comment on JRuby#4899, just to make sure they're aware that this is
still a thing.
I think maybe for now we go to the latest JRuby version that doesn't have this
issue and then wait for an update? From poking around it looks like JRuby
9.1.13.0 is the last enforcer-blessed release. everything after that has a
module-info.class file.
was (Author: busbey):
I haven't convinced myself that the enforcer plugin is wrong. I'd like to try
to find their discussion of it somewhere but haven't had a chance to dig for it
yet.
I left a commend on JRuby#4899, just to make sure they're aware that this is
still a thing.
I think maybe for now we go to the latest JRuby version that doesn't have this
issue and then wait for an update? From poking around it looks like JRuby
9.1.13.0 is the last enforcer-blessed release. everything after that has a
module-info.class file.
> Bump up JRuby version because of some reported vulnerabilities
> --------------------------------------------------------------
>
> Key: HBASE-20582
> URL: https://issues.apache.org/jira/browse/HBASE-20582
> Project: HBase
> Issue Type: Bug
> Components: dependencies, shell
> Reporter: Ankit Singhal
> Assignee: Josh Elser
> Priority: Major
> Fix For: 3.0.0, 2.1.0
>
> Attachments: HBASE-20582.002.patch, HBASE-20582.patch
>
>
> There are some vulnerabilities reported with two of the libraries used in
> HBase.
> {code:java}
> Jruby(version:9.1.10.0):
> CVE-2009-5147
> CVE-2013-4363
> CVE-2014-4975
> CVE-2014-8080
> CVE-2014-8090
> CVE-2015-3900
> CVE-2015-7551
> CVE-2015-9096
> CVE-2017-0899
> CVE-2017-0900
> CVE-2017-0901
> CVE-2017-0902
> CVE-2017-0903
> CVE-2017-10784
> CVE-2017-14064
> CVE-2017-9224
> CVE-2017-9225
> CVE-2017-9226
> CVE-2017-9227
> CVE-2017-9228
> {code}
> Tool somehow able to relate the vulnerability of Ruby with JRuby(Java
> implementation). (Jackson will be handled in a different issue.)
> Not all of them directly affects HBase but [~elserj] suggested that it is
> better to be on the updated version to avoid issues during an audit in
> security sensitive organization.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
