[ https://issues.apache.org/jira/browse/HBASE-20582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16476153#comment-16476153 ]
Sean Busbey commented on HBASE-20582: ------------------------------------- the shading makes it worse in some sense, btw. since it's substantially harder for a downstream user to upgrade that version. removing jackson from the client path makes sense, imho. > Bump up the Jackson and Jruby version because of some reported vulnerabilities > ------------------------------------------------------------------------------ > > Key: HBASE-20582 > URL: https://issues.apache.org/jira/browse/HBASE-20582 > Project: HBase > Issue Type: Bug > Reporter: Ankit Singhal > Assignee: Ankit Singhal > Priority: Major > Fix For: 2.1.0 > > Attachments: HBASE-20582.patch > > > There are some vulnerabilities reported with two of the libraries used in > HBase. > {code} > Jackson(version:2.9.2): > CVE-2017-17485 > CVE-2018-5968 > CVE-2018-7489 > Jruby(version:9.1.10.0): > CVE-2009-5147 > CVE-2013-4363 > CVE-2014-4975 > CVE-2014-8080 > CVE-2014-8090 > CVE-2015-3900 > CVE-2015-7551 > CVE-2015-9096 > CVE-2017-0899 > CVE-2017-0900 > CVE-2017-0901 > CVE-2017-0902 > CVE-2017-0903 > CVE-2017-10784 > CVE-2017-14064 > CVE-2017-9224 > CVE-2017-9225 > CVE-2017-9226 > CVE-2017-9227 > CVE-2017-9228 > {code} > Tool somehow able to relate the vulnerability of Ruby with JRuby(Java > implementation). > Not all of them directly affects HBase but [~elserj] suggested that it is > better to be on the updated version to avoid issues during an audit in > security sensitive organization. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)