Details
-
Task
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
As a follow up of HBASE-28249, we want to bump to latest 9.4.x line here.
This release line drops critical snakeyaml CVE (org.yaml : snakeyaml : 1.33 having CVE-2022-1471) from our classpath with following change along with several other bugs/fixes:
- The Psych YAML library is updated to 5.1.0. This version switches the JRuby extension to SnakeYAML Engine, avoiding CVEs against the original SnakeYAML and updating YAML compatibility to specification version 1.2. #6365, #7570, #7626
NOTE: JRuby 9.4.x targets Ruby 3.1 compatibility instead of Ruby 2.6 which 9.3.x were having!
Attachments
Issue Links
- is a clone of
-
HBASE-28249 Bump jruby to 9.3.13.0 and related joni and jcodings to 2.2.1 and 1.0.58 respectively
- Resolved