[jira] [Updated] (HBASE-28968) Bump jruby to 9.4.9.0 to fix rexml CVE

Thu, 07 Nov 2024 04:26:13 -0800 


     [ 
https://issues.apache.org/jira/browse/HBASE-28968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nihal Jain updated HBASE-28968:
-------------------------------
    Description: 
JRuby 9.4.9.0 has been released on November 04 2024

See [https://www.jruby.org/2024/11/04/jruby-9-4-9-0.html]

This release drops moderate rexml 
[CVE-2024-49761|https://github.com/advisories/GHSA-2rxp-v6pw-ch6m](See 
[https://github.com/advisories/GHSA-2rxp-v6pw-ch6m) 
|https://github.com/advisories/GHSA-2rxp-v6pw-ch6m] from our classpath with 
following change along with several other bugs/fixes: 
 * REXML was updated to 3.3.9 to get recent fixes and to address 
[CVE-2024-49761|https://github.com/advisories/GHSA-2rxp-v6pw-ch6m], a ReDOS 
vulnerability. Only users parsing unsanitized XML with REXML are affected. 
[#8396|https://github.com/jruby/jruby/pull/8396]

  was:
As a follow up of HBASE-28249, we want to bump to latest 9.4.x line here. 

This release line drops critical snakeyaml CVE ({*}org.yaml : snakeyaml : 
1.33{*} having [CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471]) 
from our classpath with following change along with several other bugs/fixes: 
 * The Psych YAML library is updated to 5.1.0. This version switches the JRuby 
extension to SnakeYAML Engine, avoiding CVEs against the original SnakeYAML and 
updating YAML compatibility to specification version 1.2. 
[#6365|https://github.com/jruby/jruby/issues/6365], 
[#7570|https://github.com/jruby/jruby/issues/7570], 
[#7626|https://github.com/jruby/jruby/pull/7626]

NOTE: JRuby 9.4.x targets Ruby 3.1 compatibility instead of Ruby 2.6 which 
9.3.x were having!


> Bump jruby to 9.4.9.0 to fix rexml CVE
> --------------------------------------
>
>                 Key: HBASE-28968
>                 URL: https://issues.apache.org/jira/browse/HBASE-28968
>             Project: HBase
>          Issue Type: Task
>          Components: jruby, security, shell
>            Reporter: Nihal Jain
>            Assignee: Nihal Jain
>            Priority: Major
>             Fix For: 2.7.0, 3.0.0-beta-2
>
>
> JRuby 9.4.9.0 has been released on November 04 2024
> See [https://www.jruby.org/2024/11/04/jruby-9-4-9-0.html]
> This release drops moderate rexml 
> [CVE-2024-49761|https://github.com/advisories/GHSA-2rxp-v6pw-ch6m](See 
> [https://github.com/advisories/GHSA-2rxp-v6pw-ch6m) 
> |https://github.com/advisories/GHSA-2rxp-v6pw-ch6m] from our classpath with 
> following change along with several other bugs/fixes: 
>  * REXML was updated to 3.3.9 to get recent fixes and to address 
> [CVE-2024-49761|https://github.com/advisories/GHSA-2rxp-v6pw-ch6m], a ReDOS 
> vulnerability. Only users parsing unsanitized XML with REXML are affected. 
> [#8396|https://github.com/jruby/jruby/pull/8396]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to