[
https://issues.apache.org/jira/browse/HBASE-28250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nihal Jain updated HBASE-28250:
-------------------------------
Summary: Bump jruby to 9.4.8.0 to fix snakeyaml CVE (was: Bump jruby to
9.4.8.0 and related joni and jcodings)
> Bump jruby to 9.4.8.0 to fix snakeyaml CVE
> ------------------------------------------
>
> Key: HBASE-28250
> URL: https://issues.apache.org/jira/browse/HBASE-28250
> Project: HBase
> Issue Type: Task
> Components: jruby, security, shell
> Reporter: Nihal Jain
> Assignee: Nihal Jain
> Priority: Major
>
> As a follow up of HBASE-28249, we want to bump to latest 9.4.x line here.
> This release line drops critical snakeyaml CVE ({*}org.yaml : snakeyaml :
> 1.33{*} having
> [CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471]) from our
> classpath with following change along with several other bugs/fixes:
> * The Psych YAML library is updated to 5.1.0. This version switches the
> JRuby extension to SnakeYAML Engine, avoiding CVEs against the original
> SnakeYAML and updating YAML compatibility to specification version 1.2.
> [#6365|https://github.com/jruby/jruby/issues/6365],
> [#7570|https://github.com/jruby/jruby/issues/7570],
> [#7626|https://github.com/jruby/jruby/pull/7626]
> NOTE: JRuby 9.4.x targets Ruby 3.1 compatibility instead of Ruby 2.6 which
> 9.3.x were having!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
