Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump Jython to 2.7.3 #9140

Merged
merged 2 commits into from
Aug 30, 2023
Merged

Bump Jython to 2.7.3 #9140

merged 2 commits into from
Aug 30, 2023

Conversation

jlowe
Copy link
Member

@jlowe jlowe commented Aug 30, 2023
edited
Loading

Bumping Jython to 2.7.3 to address CVE-2013-2027

@jlowe
Bump Jython to 2.7.2b3
4979570 
Signed-off-by: Jason Lowe <[email protected]>
@jlowe jlowe added the build Related to CI / CD or cleanly building label Aug 30, 2023
@jlowe jlowe self-assigned this Aug 30, 2023
@jlowe
Copy link
Member Author

jlowe commented Aug 30, 2023

build

@github-actions
Copy link

👎 Promotion blocked, new vulnerability found

Vulnerability report

Component Vulnerability Description Severity
Jython CVE-2013-2027 Jython 2.2.1 uses the current umask to set the privileges of the class cache files, which allows local users to bypass intended access restrictions via unspecified vectors. MEDIUM

revans2
revans2 previously approved these changes Aug 30, 2023
View reviewed changes
Copy link
Collaborator

@revans2 revans2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we move away from using jython? Using a beta version does not feel great.

Also the vulnerability scan is still failing. Should we try going to 2.7.3 instead?

@jlowe
Copy link
Member Author

jlowe commented Aug 30, 2023

Should we try going to 2.7.3 instead?

I was trying to minimize the change by going to the closest patched version, as the CVE said 2.7.2b3 has the fix. I'll try going to 2.7.3.

@jlowe jlowe changed the title Bump Jython to 2.7.2b3 Bump Jython to 2.7.3 Aug 30, 2023
@jlowe
Copy link
Member Author

jlowe commented Aug 30, 2023

build

gerashegalov
gerashegalov approved these changes Aug 30, 2023
View reviewed changes
Copy link
Collaborator

@gerashegalov gerashegalov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@gerashegalov
Copy link
Collaborator

Should we move away from using jython?

I picked jython for the following reasons:

  • lightweight integration with Ant allowing to sidestep awkward XML programming
  • does not introduce a new language to the code base
  • most actively maintained scriptdef implementation judging by the number of commits as far as I can see which is probably also the reason why we have a release ready for the CVE
  • does not require real Python just for the build's sake
  • on the other hand, I anticipated that some day it might be required to drop it, and it's not hard to rewrite it in terms of ant exec to python

@jlowe jlowe merged commit d336b7a into NVIDIA:branch-23.10 Aug 30, 2023
27 checks passed
@jlowe jlowe deleted the bump-jython branch August 30, 2023 17:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@revans2 revans2 revans2 approved these changes

@gerashegalov gerashegalov gerashegalov approved these changes

@abellina abellina abellina approved these changes

@tgravescs tgravescs Awaiting requested review from tgravescs tgravescs is a code owner

@GaryShen2008 GaryShen2008 Awaiting requested review from GaryShen2008 GaryShen2008 is a code owner

@NvTimLiu NvTimLiu Awaiting requested review from NvTimLiu NvTimLiu is a code owner

@zhanga5 zhanga5 Awaiting requested review from zhanga5

Assignees

@jlowe jlowe

Labels
build Related to CI / CD or cleanly building
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jlowe @gerashegalov @abellina @revans2