You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by "Sean Busbey (JIRA)" <ji...@apache.org> on 2018/05/23 17:32:00 UTC
[jira] [Reopened] (HBASE-20582) Bump up JRuby version because of
some reported vulnerabilities
[ https://issues.apache.org/jira/browse/HBASE-20582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean Busbey reopened HBASE-20582:
---------------------------------
[~elserj] this change broke us in nightly, specifically the check that we can go through the release process:
{code}
[INFO] --- maven-enforcer-plugin:3.0.0-M1:enforce (hadoop-profile-min-maven-min-java-banned-xerces) @ hbase-shell ---
[INFO] Restricted to JDK 1.8 yet org.jruby:jruby-complete:jar:9.1.17.0:compile contains module-info.class targeted to JDK 1.9
[WARNING] Rule 4: org.apache.maven.plugins.enforcer.EnforceBytecodeVersion failed with message:
HBase has unsupported dependencies.
HBase requires that all dependencies be compiled with version 1.8 or earlier
of the JDK to properly build from source. You appear to be using a newer dependency. You can use
either "mvn -version" or "mvn enforcer:display-info" to verify what version is active.
Non-release builds can temporarily build with a newer JDK version by setting the
'compileSource' property (eg. mvn -DcompileSource=1.8 clean package).
Found Banned Dependency: org.jruby:jruby-complete:jar:9.1.17.0
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
{code}
here's the full build log:
https://builds.apache.org/job/HBase%20Nightly/job/master/341/artifact/output-srctarball/srctarball_install.log/*view*/
Same thing shows up in branch-2.
> Bump up JRuby version because of some reported vulnerabilities
> --------------------------------------------------------------
>
> Key: HBASE-20582
> URL: https://issues.apache.org/jira/browse/HBASE-20582
> Project: HBase
> Issue Type: Bug
> Reporter: Ankit Singhal
> Assignee: Josh Elser
> Priority: Major
> Fix For: 3.0.0, 2.1.0
>
> Attachments: HBASE-20582.002.patch, HBASE-20582.patch
>
>
> There are some vulnerabilities reported with two of the libraries used in HBase.
> {code:java}
> Jruby(version:9.1.10.0):
> CVE-2009-5147
> CVE-2013-4363
> CVE-2014-4975
> CVE-2014-8080
> CVE-2014-8090
> CVE-2015-3900
> CVE-2015-7551
> CVE-2015-9096
> CVE-2017-0899
> CVE-2017-0900
> CVE-2017-0901
> CVE-2017-0902
> CVE-2017-0903
> CVE-2017-10784
> CVE-2017-14064
> CVE-2017-9224
> CVE-2017-9225
> CVE-2017-9226
> CVE-2017-9227
> CVE-2017-9228
> {code}
> Tool somehow able to relate the vulnerability of Ruby with JRuby(Java implementation). (Jackson will be handled in a different issue.)
> Not all of them directly affects HBase but [~elserj] suggested that it is better to be on the updated version to avoid issues during an audit in security sensitive organization.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)