[
https://issues.apache.org/jira/browse/HBASE-29651?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18034540#comment-18034540
]
Hudson commented on HBASE-29651:
--------------------------------
Results for branch master
[build #1364 on
builds.a.o|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1364/]:
(x) *{color:red}-1 overall{color}*
----
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1364/General_20Nightly_20Build_20Report/]
(x) {color:red}-1 jdk17 hadoop3 checks{color}
-- For more information [see jdk17
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1364/JDK17_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 jdk17 hadoop 3.3.5 backward compatibility checks{color}
-- For more information [see jdk17
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1364/JDK17_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(x) {color:red}-1 jdk17 hadoop 3.3.6 backward compatibility checks{color}
-- For more information [see jdk17
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1364/JDK17_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test for 3.3.5 {color}
(/) {color:green}+1 client integration test for 3.3.6 {color}
(/) {color:green}+1 client integration test for 3.4.0 {color}
(/) {color:green}+1 client integration test for 3.4.1 {color}
(/) {color:green}+1 client integration test for 3.4.2 {color}
> Bump jruby to 9.4.14.0 to fix multiple CVEs
> -------------------------------------------
>
> Key: HBASE-29651
> URL: https://issues.apache.org/jira/browse/HBASE-29651
> Project: HBase
> Issue Type: Bug
> Components: jruby, security
> Reporter: Xavier Fernandis
> Assignee: Xavier Fernandis
> Priority: Major
> Labels: pull-request-available
>
> h2. Overview
> Sonatype security scan has identified multiple vulnerabilities in our current
> JRuby version 9.4.12.1. These vulnerabilities pose security risks and require
> immediate remediation through version upgrade.
> h2. Impact Assessment
> * *High Risk:* 3 critical vulnerabilities with CVSS 7+ scores
> * *Attack Vectors:* Denial of Service, Memory Exhaustion, Regular Expression
> DoS
> * *Affected Components:* CGI gem, Net::IMAP library, REXML parser
> * *Business Impact:* Potential service disruption, resource exhaustion
> h2. Confirmed Fixes
> * *CVE-2025-27219 & CVE-2025-27220:* Fixed in JRuby 9.4.14.0 (CGI gem
> updated [https://github.com/jruby/jruby/pull/8954])
> * *CVE-2025-43857:* Fixed in JRuby 9.4.13.0 (Net::IMAP updated to 0.2.5
> [https://github.com/jruby/jruby/pull/8827])
> h2. References
> - [JRuby 9.4.14.0 Release
> Notes]([https://github.com/jruby/jruby/releases/tag/9.4.14.0])
> - [CVE-2025-27219 Details]([https://nvd.nist.gov/vuln/detail/CVE-2025-27219])
> - [CVE-2025-27220 Details]([https://nvd.nist.gov/vuln/detail/CVE-2025-27220])
> - [CVE-2025-43857 Details]([https://nvd.nist.gov/vuln/detail/CVE-2025-43857])
> h2. Action required
> *Upgrade JRuby from 9.4.12.1 to 9.4.14.0 (minimum safe version)*
> h2.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
