Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

HawtJNI vulnerable to CVE-2013-2035 embedded by jline2 #85

dfj opened this Issue May 15, 2013 · 7 comments


None yet
4 participants

dfj commented May 15, 2013

jline2 embeds jansi, which in turn embeds the org.fusesource.hawtjni.runtime.Library class. This is vulnerable to CVE-2013-2035:


HawtJNI 1.8 has been released, incorporating a fix for this flaw. Jansi 1.11 has been released, embedding HawtJNI 1.8 and incorporating a fix for this flaw.

@trptcolin trptcolin closed this in 9639d05 May 15, 2013


trptcolin commented May 15, 2013

@dfj thanks for reporting this.

@gnodet @jdillon any chance we can get a release? Not sure whether any of the pending PRs should be merged or whether there are other things you guys wanted to get in first.


headius commented May 17, 2013

JRuby is waiting on a release too, since we bundle jline2.


jdillon commented May 17, 2013

I can spin a release this weekend if the codebase is ready. I don't have time to review anything or check if its ready, so someone let me know and I'll release it.


trptcolin commented May 18, 2013

I believe it is good to go, but since I've been making the most recent merges & pushes, I understand if you prefer waiting for someone else to bang on it.


jdillon commented May 19, 2013



please verify if its all happy and I will pull the release trigger, and re-deploy the site.


trptcolin commented May 20, 2013

Looks good to me.


jdillon commented May 20, 2013

released, will try to get the site updated shortly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment