[
https://issues.apache.org/jira/browse/HBASE-28250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17867279#comment-17867279
]
Nick Dimiduk commented on HBASE-28250:
--------------------------------------
{noformat}
But it is important to note JRuby 9.4.x targets Ruby 3.1 compatibility instead
of Ruby 2.6 which 9.3.x were having! So we may have to decide which all
branches we would want to drop a fix, if available.
{noformat}
If the jruby version numbers are to be trusted, it means we can old deploy such
an upgrade over a major version bump. I'd say you could target HBase 3.0 for
the upgrade, assuming we can wrap our heads around the compatibility issues.
> Bump jruby to 9.4.8.0 and related joni and jcodings
> ---------------------------------------------------
>
> Key: HBASE-28250
> URL: https://issues.apache.org/jira/browse/HBASE-28250
> Project: HBase
> Issue Type: Task
> Components: jruby, security, shell
> Reporter: Nihal Jain
> Assignee: Nihal Jain
> Priority: Major
>
> As a follow up of HBASE-28249, we want to bump to latest 9.4.x line here.
> This release line drops critical snakeyaml CVE ({*}org.yaml : snakeyaml :
> 1.33{*} having
> [CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471]) from our
> classpath with following change along with several other bugs/fixes:
> * The Psych YAML library is updated to 5.1.0. This version switches the
> JRuby extension to SnakeYAML Engine, avoiding CVEs against the original
> SnakeYAML and updating YAML compatibility to specification version 1.2.
> [#6365|https://github.com/jruby/jruby/issues/6365],
> [#7570|https://github.com/jruby/jruby/issues/7570],
> [#7626|https://github.com/jruby/jruby/pull/7626]
> NOTE: JRuby 9.4.x targets Ruby 3.1 compatibility instead of Ruby 2.6 which
> 9.3.x were having!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
