[jira] [Commented] (HBASE-28250) Bump jruby to 9.4.8.0 to fix snakeyaml CVE

Fri, 09 Aug 2024 10:45:39 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-28250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17872418#comment-17872418
 ] 

Hudson commented on HBASE-28250:
--------------------------------

Results for branch master
        [build #1140 on 
builds.a.o|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1140/]: 
(/) *{color:green}+1 overall{color}*
----
details (if available):

(/) {color:green}+1 general checks{color}
-- For more information [see general 
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1140/General_20Nightly_20Build_20Report/]








(/) {color:green}+1 jdk17 hadoop3 checks{color}
-- For more information [see jdk17 
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1140/JDK17_20Nightly_20Build_20Report_20_28Hadoop3_29/]


(/) {color:green}+1 source release artifact{color}
-- See build output for details.


(/) {color:green}+1 client integration test{color}


> Bump jruby to 9.4.8.0 to fix snakeyaml CVE
> ------------------------------------------
>
>                 Key: HBASE-28250
>                 URL: https://issues.apache.org/jira/browse/HBASE-28250
>             Project: HBase
>          Issue Type: Task
>          Components: jruby, security, shell
>            Reporter: Nihal Jain
>            Assignee: Nihal Jain
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.0.0-beta-2
>
>
> As a follow up of HBASE-28249, we want to bump to latest 9.4.x line here. 
> This release line drops critical snakeyaml CVE ({*}org.yaml : snakeyaml : 
> 1.33{*} having 
> [CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471]) from our 
> classpath with following change along with several other bugs/fixes: 
>  * The Psych YAML library is updated to 5.1.0. This version switches the 
> JRuby extension to SnakeYAML Engine, avoiding CVEs against the original 
> SnakeYAML and updating YAML compatibility to specification version 1.2. 
> [#6365|https://github.com/jruby/jruby/issues/6365], 
> [#7570|https://github.com/jruby/jruby/issues/7570], 
> [#7626|https://github.com/jruby/jruby/pull/7626]
> NOTE: JRuby 9.4.x targets Ruby 3.1 compatibility instead of Ruby 2.6 which 
> 9.3.x were having!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to