[SERVER-1661] Upgrade puppetserver to latest versions of bouncycastle, jruby-openssl, and JRuby 1.7.x - Puppet Tickets

XML

Word

Printable

Details

Type: Task
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: SERVER 5.0.0
Component/s: Puppet Server
Labels:
- maintenance

Template:
customfield_10700 161276
Epic Link:
System Team Escalations
Team:
Systems Engineering
Sub-team:
- Server
Story Points:
3
Sprint:
SE 2016-11-30, Server 2017-05-31, Server 2017-06-14

Release Notes:
New Feature
Release Notes Summary:

Hide
Puppet Server now includes a newer version of JRuby, 1.7.27. This in turn includes a newer version of the jruby-openssl gem, 0.9.19. Newer versions of the bouncycastle libraries, 1.55, are also included for compatibility with the newer jruby-openssl version.

JRuby 1.7.27 breaks support for configuring the "jruby-puppet.compat-version" to "2.0". The "jruby-puppet.compat-version" setting has been removed. If the setting is present at puppetserver startup, the service will error out. For Ruby language 2+ support under Puppet Server, you will now need to configure Puppet Server to use JRuby 9k instead of JRuby 1.7.27. See: ~~SERVER-1630~~.

Show
Puppet Server now includes a newer version of JRuby, 1.7.27. This in turn includes a newer version of the jruby-openssl gem, 0.9.19. Newer versions of the bouncycastle libraries, 1.55, are also included for compatibility with the newer jruby-openssl version. JRuby 1.7.27 breaks support for configuring the "jruby-puppet.compat-version" to "2.0". The "jruby-puppet.compat-version" setting has been removed. If the setting is present at puppetserver startup, the service will error out. For Ruby language 2+ support under Puppet Server, you will now need to configure Puppet Server to use JRuby 9k instead of JRuby 1.7.27. See: SERVER-1630 .

Description

There are some security and compatibility fixes in recent versions of bouncycastle and jruby-openssl. We need to bump bouncycastle to the latest version (1.55), and validate that we are shipping the latest jruby-openssl (and upgrade it if we aren't).

We already landed a PR against jvm-ssl-utils that upgrades bouncycastle, so we just need to promote that change up through the dependencies into Puppet Server.

As for jruby-openssl, I believe that is shipped as part of the core JRuby package, and that we are already on the latest version of the 1.7.x JRuby series, so there may not be any work required there... but as part of this ticket we should verify that, and if the one included with the latest JRuby package isn't the latest version, see what would be necessary to upgrade.

Attachments

Activity

People

Assignee:: Jeremy Barlow

Reporter:: Chris Price

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2016/11/16 9:05 AM

Updated:: 2017/06/28 12:19 PM

Resolved:: 2017/06/28 12:19 PM