Uploaded image for project: 'JBoss Fuse'
  1. JBoss Fuse
  2. ENTESB-454

jruby.jar as shipped with Fuse ESB Enterprise exposes CVE-2012-5370

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Done
    • Affects Version/s: fuse-esb-7.0.2, fuse-esb-7.1.0
    • Fix Version/s: fuse-esb-7.1.0, jboss-fuse-6.0
    • Component/s: None
    • Labels:
      None

      Description

      jruby.jar as shipped with Fuse ESB Enterprise exposes CVE-2012-5370. We are shipping JRuby 1.6.7. The upstream Ruby language has replaced the vulnerable Murmur hash function / algorithm implementation with the SipHash-2-4 implementation:

      http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/

      An upstream fix is not yet available for JRuby. Once an upstream fix is available, we should incorporate it into a future release via a component upgrade.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                davsclaus Claus Ibsen
                Reporter:
                dfj David Jorm
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: