git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[jira] [Reopened] (HBASE-20582) Bump up JRuby version because of some reported vulnerabilities


     [ https://issues.apache.org/jira/browse/HBASE-20582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sean Busbey reopened HBASE-20582:
---------------------------------

[~elserj] this change broke us in nightly, specifically the check that we can go through the release process:


{code}

[INFO] --- maven-enforcer-plugin:3.0.0-M1:enforce (hadoop-profile-min-maven-min-java-banned-xerces) @ hbase-shell ---
[INFO] Restricted to JDK 1.8 yet org.jruby:jruby-complete:jar:9.1.17.0:compile contains module-info.class targeted to JDK 1.9
[WARNING] Rule 4: org.apache.maven.plugins.enforcer.EnforceBytecodeVersion failed with message:
HBase has unsupported dependencies.
  HBase requires that all dependencies be compiled with version 1.8 or earlier
  of the JDK to properly build from source.  You appear to be using a newer dependency. You can use
  either "mvn -version" or "mvn enforcer:display-info" to verify what version is active.
  Non-release builds can temporarily build with a newer JDK version by setting the
  'compileSource' property (eg. mvn -DcompileSource=1.8 clean package).
Found Banned Dependency: org.jruby:jruby-complete:jar:9.1.17.0
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
{code}

here's the full build log:

https://builds.apache.org/job/HBase%20Nightly/job/master/341/artifact/output-srctarball/srctarball_install.log/*view*/

Same thing shows up in branch-2.

> Bump up JRuby version because of some reported vulnerabilities
> --------------------------------------------------------------
>
>                 Key: HBASE-20582
>                 URL: https://issues.apache.org/jira/browse/HBASE-20582
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ankit Singhal
>            Assignee: Josh Elser
>            Priority: Major
>             Fix For: 3.0.0, 2.1.0
>
>         Attachments: HBASE-20582.002.patch, HBASE-20582.patch
>
>
> There are some vulnerabilities reported with two of the libraries used in HBase.
> {code:java}
> Jruby(version:9.1.10.0):
> CVE-2009-5147
> CVE-2013-4363
> CVE-2014-4975
> CVE-2014-8080
> CVE-2014-8090
> CVE-2015-3900
> CVE-2015-7551
> CVE-2015-9096
> CVE-2017-0899
> CVE-2017-0900
> CVE-2017-0901
> CVE-2017-0902
> CVE-2017-0903
> CVE-2017-10784
> CVE-2017-14064
> CVE-2017-9224
> CVE-2017-9225
> CVE-2017-9226
> CVE-2017-9227
> CVE-2017-9228
> {code}
> Tool somehow able to relate the vulnerability of Ruby with JRuby(Java implementation). (Jackson will be handled in a different issue.)
> Not all of them directly affects HBase but [~elserj] suggested that it is better to be on the updated version to avoid issues during an audit in security sensitive organization.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)