[jira] [Updated] (HBASE-28250) Bump jruby to 9.4.5.0 and related joni and jcodings

Thu, 07 Dec 2023 02:08:05 -0800 


     [ 
https://issues.apache.org/jira/browse/HBASE-28250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nihal Jain updated HBASE-28250:
-------------------------------
    Description: 
As a follow up of HBASE-28249, we want to bump to latest 9.4.x line here. 

NOTE: [jruby-9-4-5-0|https://www.jruby.org/2023/11/02/jruby-9-4-5-0.html] 
breaks compatibility by making ruby 3.1 as minimum required version.

This release line drops critical snakeyaml CVE ({*}org.yaml : snakeyaml : 
1.33{*} having [CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471])

from our classpath as 
 * The Psych YAML library is updated to 5.1.0. This version switches the JRuby 
extension to SnakeYAML Engine, avoiding CVEs against the original SnakeYAML and 
updating YAML compatibility to specification version 1.2. 
[#6365|https://github.com/jruby/jruby/issues/6365], 
[#7570|https://github.com/jruby/jruby/issues/7570], 
[#7626|https://github.com/jruby/jruby/pull/7626]

 *  

  was:
As a follow up of HBASE-28249, we want to bump to latest 9.4.x line here. 

[https://www.jruby.org/2023/11/02/jruby-9-4-5-0.html] breaks compatibility by 
making ruby 3.1 as minimum required version.

But it drops snakeyaml CVEs from our classpath via 
https://github.com/jruby/jruby/issues/7570:
 * *org.yaml : snakeyaml : 1.33* having 
[CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471]


> Bump jruby to 9.4.5.0 and related joni and jcodings
> ---------------------------------------------------
>
>                 Key: HBASE-28250
>                 URL: https://issues.apache.org/jira/browse/HBASE-28250
>             Project: HBase
>          Issue Type: Task
>          Components: jruby
>            Reporter: Nihal Jain
>            Assignee: Nihal Jain
>            Priority: Major
>
> As a follow up of HBASE-28249, we want to bump to latest 9.4.x line here. 
> NOTE: [jruby-9-4-5-0|https://www.jruby.org/2023/11/02/jruby-9-4-5-0.html] 
> breaks compatibility by making ruby 3.1 as minimum required version.
> This release line drops critical snakeyaml CVE ({*}org.yaml : snakeyaml : 
> 1.33{*} having [CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471])
> from our classpath as 
>  * The Psych YAML library is updated to 5.1.0. This version switches the 
> JRuby extension to SnakeYAML Engine, avoiding CVEs against the original 
> SnakeYAML and updating YAML compatibility to specification version 1.2. 
> [#6365|https://github.com/jruby/jruby/issues/6365], 
> [#7570|https://github.com/jruby/jruby/issues/7570], 
> [#7626|https://github.com/jruby/jruby/pull/7626]
>  *  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to