You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hbase.apache.org by "Ankit Singhal (JIRA)" <ji...@apache.org> on 2018/05/14 22:59:00 UTC

[jira] [Created] (HBASE-20582) Bump up the Jackson and Jruby version because of some reported vulnerabilities

Ankit Singhal created HBASE-20582:
-------------------------------------

             Summary: Bump up the Jackson and Jruby version because of some reported vulnerabilities
                 Key: HBASE-20582
                 URL: https://issues.apache.org/jira/browse/HBASE-20582
             Project: HBase
          Issue Type: Bug
            Reporter: Ankit Singhal
            Assignee: Ankit Singhal
             Fix For: 2.1.0


There are some vulnerabilities reported with two of the libraries used in HBase.

{code}
Jackson(version:2.9.2):
CVE-2017-17485
CVE-2018-5968
CVE-2018-7489

Jruby(version:9.1.10.0):
CVE-2009-5147
CVE-2013-4363
CVE-2014-4975
CVE-2014-8080
CVE-2014-8090
CVE-2015-3900
CVE-2015-7551
CVE-2015-9096
CVE-2017-0899
CVE-2017-0900
CVE-2017-0901
CVE-2017-0902
CVE-2017-0903
CVE-2017-10784
CVE-2017-14064
CVE-2017-9224
CVE-2017-9225
CVE-2017-9226
CVE-2017-9227
CVE-2017-9228
{code}

Tool somehow able to relate the vulnerability of Ruby with JRuby(Java implementation).

Not all of them directly affects HBase but it is better to be on the updated version to avoid issues during an audit in security sensitive organization.

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)