Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

HawtJNI vulnerable to CVE-2013-2035 embedded by jline2 #85

Closed
dfj opened this Issue May 15, 2013 · 7 comments

Comments

Projects
None yet
4 participants

dfj commented May 15, 2013

jline2 embeds jansi, which in turn embeds the org.fusesource.hawtjni.runtime.Library class. This is vulnerable to CVE-2013-2035:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2035

HawtJNI 1.8 has been released, incorporating a fix for this flaw. Jansi 1.11 has been released, embedding HawtJNI 1.8 and incorporating a fix for this flaw.

@trptcolin trptcolin closed this in 9639d05 May 15, 2013

Member

trptcolin commented May 15, 2013

@dfj thanks for reporting this.

@gnodet @jdillon any chance we can get a release? Not sure whether any of the pending PRs should be merged or whether there are other things you guys wanted to get in first.

Contributor

headius commented May 17, 2013

JRuby is waiting on a release too, since we bundle jline2.

Owner

jdillon commented May 17, 2013

I can spin a release this weekend if the codebase is ready. I don't have time to review anything or check if its ready, so someone let me know and I'll release it.

Member

trptcolin commented May 18, 2013

I believe it is good to go, but since I've been making the most recent merges & pushes, I understand if you prefer waiting for someone else to bang on it.

Owner

jdillon commented May 19, 2013

staged:

https://oss.sonatype.org/content/repositories/jline-576

please verify if its all happy and I will pull the release trigger, and re-deploy the site.

Member

trptcolin commented May 20, 2013

Looks good to me.

Owner

jdillon commented May 20, 2013

released, will try to get the site updated shortly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment