HawtJNI vulnerable to CVE-2013-2035 embedded by jline2

[dfj]

jline2 embeds jansi, which in turn embeds the org.fusesource.hawtjni.runtime.Library class. This is vulnerable to CVE-2013-2035:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2035

HawtJNI 1.8 has been released, incorporating a fix for this flaw. Jansi 1.11 has been released, embedding HawtJNI 1.8 and incorporating a fix for this flaw.

[trptcolin]

@dfj thanks for reporting this.

@gnodet @jdillon any chance we can get a release? Not sure whether any of the pending PRs should be merged or whether there are other things you guys wanted to get in first.

[headius]

JRuby is waiting on a release too, since we bundle jline2.

[jdillon]

I can spin a release this weekend if the codebase is ready. I don't have time to review anything or check if its ready, so someone let me know and I'll release it.

[trptcolin]

I believe it is good to go, but since I've been making the most recent merges & pushes, I understand if you prefer waiting for someone else to bang on it.

[jdillon]

staged:

https://oss.sonatype.org/content/repositories/jline-576

please verify if its all happy and I will pull the release trigger, and re-deploy the site.

[trptcolin]

Looks good to me.

[jdillon]

released, will try to get the site updated shortly.