[jira] [Comment Edited] (HBASE-28250) Bump jruby to 9.4.8.0 and related joni and jcodings

Thu, 18 Jul 2024 13:29:00 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-28250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17867105#comment-17867105
 ] 

Andrew Kyle Purtell edited comment on HBASE-28250 at 7/18/24 8:27 PM:
----------------------------------------------------------------------

Thank you for taking this up [~nihaljain.cs], I am sorry your security org does 
not allow an exception for jruby. We were lucky that ours did, using evidence 
from those interactions with the jruby project as evidence the findings were 
not significant and were not going to be fixed by the vendor. It also helped to 
explain the shell is restricted to privileged system operators.


was (Author: apurtell):
Thank you for taking this up [~nihaljain.cs], I am sorry your security org does 
not allow an exception for jruby. We were lucky that ours did, using evidence 
from those interactions with the jruby project as evidence the findings were 
not significant and were not going to be fixed by the vendor. 

> Bump jruby to 9.4.8.0 and related joni and jcodings
> ---------------------------------------------------
>
>                 Key: HBASE-28250
>                 URL: https://issues.apache.org/jira/browse/HBASE-28250
>             Project: HBase
>          Issue Type: Task
>          Components: jruby, security, shell
>            Reporter: Nihal Jain
>            Assignee: Nihal Jain
>            Priority: Major
>
> As a follow up of HBASE-28249, we want to bump to latest 9.4.x line here. 
> This release line drops critical snakeyaml CVE ({*}org.yaml : snakeyaml : 
> 1.33{*} having 
> [CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471]) from our 
> classpath with following change along with several other bugs/fixes: 
>  * The Psych YAML library is updated to 5.1.0. This version switches the 
> JRuby extension to SnakeYAML Engine, avoiding CVEs against the original 
> SnakeYAML and updating YAML compatibility to specification version 1.2. 
> [#6365|https://github.com/jruby/jruby/issues/6365], 
> [#7570|https://github.com/jruby/jruby/issues/7570], 
> [#7626|https://github.com/jruby/jruby/pull/7626]
> NOTE: JRuby 9.4.x targets Ruby 3.1 compatibility instead of Ruby 2.6 which 
> 9.3.x were having!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to