[JBoss JIRA] (JBESB-3890) jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370

Tuesday, 18 December 2012



     [
https://issues.jboss.org/browse/JBESB-3890?page=com.atlassian.jira.plugin...
]

Tom Cunningham updated JBESB-3890:
----------------------------------

    Component/s: Examples

    
...
 jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370
 ---------------------------------------------------------

                 Key: JBESB-3890
                 URL: https://issues.jboss.org/browse/JBESB-3890
             Project: JBoss ESB
          Issue Type: Bug
      Security Level: Public(Everyone can see) 
          Components: Examples
    Affects Versions: 4.11
            Reporter: David Jorm
            Assignee: Tom Cunningham
             Fix For: 4.12


 jruby.jar as shipped with JBoss ESB exposes CVE-2012-5370. We are shipping JRuby 1.6.5.1.
The upstream Ruby language has replaced the vulnerable Murmur hash function / algorithm
implementation with the SipHash-2-4 implementation:
 http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
 An upstream fix is not yet available for JRuby. Once an upstream fix is available, we
should incorporate it into a future release via a component upgrade. 
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007