Facing ROBOT vulnerability issue with jruby-openssl (= 0.9.16) #5156
Comments
|
@pawan-chawdhary Were you able to confirm that JRuby does indeed have this vulnerability? If so, can you show me how to do that? Our 'openssl' implementation is based on BouncyCastle, but we use it in rather peculiar ways. Upgrading BC and releasing a new jruby-openssl seems like the most likely path forward, but I'd like to confirm we do actually have an issue first. |
|
according to https://robotattack.org/ this is fixed in BC with version 1.59 which is already out: https://bouncycastle.org/latest_releases.html |
|
@mkristian Here's hoping they didn't break too much of the API this time 😝 |
|
since this is only under SSL/TLS jruby-openssl isn't effected. at some point it would make a lot of sense to use BC's ssl engine but in currently released versions (all 0.9.x) we do not have the .jar included so this is not much not relevant for jossl. this would apply if you install the BC provider into the JDK, which is rarely done and if so it needs manual re-install anyways. |
|
have double checked - as noted we do not consult BC for the SSLEngine in current released (0.9.x) versions] |
Linux/Ubuntu
Facing ROBOT vulnerability issue with jruby-openssl (= 0.9.16), Please suggest the next version of jruby-openssl which is not vulnerable to this issue.
https://www.tenable.com/plugins/nessus/105415
CVE-2017-1000385
http://erlang.org/pipermail/erlang-questions/2017-November/094257.html
The text was updated successfully, but these errors were encountered: