David Jorm created JBESB-3884:
---------------------------------
Summary: jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370
Key: JBESB-3884
URL:
https://issues.jboss.org/browse/JBESB-3884
Project: JBoss ESB
Issue Type: Bug
Security Level: Public (Everyone can see)
Reporter: David Jorm
jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370. We are shipping JRuby 1.6.5.1.
The upstream Ruby language has replaced the vulnerable Murmur hash function / algorithm
implementation with the SipHash-2-4 implementation:
http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
An upstream fix is not yet available for JRuby. Once an upstream fix is available, we
should incorporate it into a future release via a component upgrade.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:
http://www.atlassian.com/software/jira