David Jorm created JBESB-3884: --------------------------------- Summary: jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370 Key: JBESB-3884 URL: https://issues.jboss.org/browse/JBESB-3884 Project: JBoss ESB Issue Type: Bug Security Level: Public (Everyone can see) Reporter: David Jorm jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370. We are shipping JRuby 1.6.5.1. The upstream Ruby language has replaced the vulnerable Murmur hash function / algorithm implementation with the SipHash-2-4 implementation: http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/ An upstream fix is not yet available for JRuby. Once an upstream fix is available, we should incorporate it into a future release via a component upgrade. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira