Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-1661

Upgrade puppetserver to latest versions of bouncycastle, jruby-openssl, and JRuby 1.7.x

          Details

          • Template:
          • Epic Link:
          • Team:
            Systems Engineering
          • Sub-team:
          • Story Points:
            3
          • Sprint:
            SE 2016-11-30, Server 2017-05-31, Server 2017-06-14
          • Release Notes:
            New Feature
          • Release Notes Summary:
            Hide
            Puppet Server now includes a newer version of JRuby, 1.7.27. This in turn includes a newer version of the jruby-openssl gem, 0.9.19. Newer versions of the bouncycastle libraries, 1.55, are also included for compatibility with the newer jruby-openssl version.

            JRuby 1.7.27 breaks support for configuring the "jruby-puppet.compat-version" to "2.0". The "jruby-puppet.compat-version" setting has been removed. If the setting is present at puppetserver startup, the service will error out. For Ruby language 2+ support under Puppet Server, you will now need to configure Puppet Server to use JRuby 9k instead of JRuby 1.7.27. See: SERVER-1630.
            Show
            Puppet Server now includes a newer version of JRuby, 1.7.27. This in turn includes a newer version of the jruby-openssl gem, 0.9.19. Newer versions of the bouncycastle libraries, 1.55, are also included for compatibility with the newer jruby-openssl version. JRuby 1.7.27 breaks support for configuring the "jruby-puppet.compat-version" to "2.0". The "jruby-puppet.compat-version" setting has been removed. If the setting is present at puppetserver startup, the service will error out. For Ruby language 2+ support under Puppet Server, you will now need to configure Puppet Server to use JRuby 9k instead of JRuby 1.7.27. See: SERVER-1630 .

            Description

            There are some security and compatibility fixes in recent versions of bouncycastle and jruby-openssl. We need to bump bouncycastle to the latest version (1.55), and validate that we are shipping the latest jruby-openssl (and upgrade it if we aren't).

            We already landed a PR against jvm-ssl-utils that upgrades bouncycastle, so we just need to promote that change up through the dependencies into Puppet Server.

            As for jruby-openssl, I believe that is shipped as part of the core JRuby package, and that we are already on the latest version of the 1.7.x JRuby series, so there may not be any work required there... but as part of this ticket we should verify that, and if the one included with the latest JRuby package isn't the latest version, see what would be necessary to upgrade.

              Attachments

                Activity

                  People

                  • Assignee:
                    jeremy.barlow Jeremy Barlow
                    Reporter:
                    chris Chris Price
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    6 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved:

                      Zendesk Support