[esb-issues] [JBoss JIRA] (JBESB-3884) jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370

Tuesday, 18 December 2012



     [
https://issues.jboss.org/browse/JBESB-3884?page=com.atlassian.jira.plugin...
]

Tom Cunningham closed JBESB-3884.
---------------------------------


...
 jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370
 ---------------------------------------------------------

                 Key: JBESB-3884
                 URL: https://issues.jboss.org/browse/JBESB-3884
             Project: JBoss ESB
          Issue Type: Bug
      Security Level: Public(Everyone can see) 
    Affects Versions: 4.11
            Reporter: David Jorm
            Assignee: Tom Cunningham
             Fix For: 4.11 CP2


 jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370. We are shipping JRuby 1.6.5.1.
The upstream Ruby language has replaced the vulnerable Murmur hash function / algorithm
implementation with the SipHash-2-4 implementation:
 http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
 An upstream fix is not yet available for JRuby. Once an upstream fix is available, we
should incorporate it into a future release via a component upgrade. 
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

[esb-issues] [JBoss JIRA] (JBESB-3884) jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370