[
https://issues.apache.org/jira/browse/HBASE-28250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nihal Jain updated HBASE-28250:
-------------------------------
Description:
As a follow up of HBASE-28249, we want to bump to latest 9.4.x line here.
[https://www.jruby.org/2023/11/02/jruby-9-4-5-0.html] breaks compatibility by
making ruby 3.1 as minimum required version.
But it drops snakeyaml CVEs from our classpath via
https://github.com/jruby/jruby/issues/7570:
* *org.yaml : snakeyaml : 1.33* having
[CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471]
was:
Given branch-2 including branch-2.6 is already on 9.3.9.0, we should bump to at
least 9.3.13.0. This will fix the bundled *org.bouncycastle : bcprov-jdk18on :
1.71* having [CVE-2023-33201|https://nvd.nist.gov/vuln/detail/CVE-2023-33201]
from out classpath for the least.
As a follow up can try to bump to latest 9.4.x line, if others are fine with
this. Please let me know what others think.
> Bump jruby to 9.4.5.0 and related joni and jcodings
> ---------------------------------------------------
>
> Key: HBASE-28250
> URL: https://issues.apache.org/jira/browse/HBASE-28250
> Project: HBase
> Issue Type: Task
> Reporter: Nihal Jain
> Assignee: Nihal Jain
> Priority: Major
>
> As a follow up of HBASE-28249, we want to bump to latest 9.4.x line here.
> [https://www.jruby.org/2023/11/02/jruby-9-4-5-0.html] breaks compatibility by
> making ruby 3.1 as minimum required version.
> But it drops snakeyaml CVEs from our classpath via
> https://github.com/jruby/jruby/issues/7570:
> * *org.yaml : snakeyaml : 1.33* having
> [CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
