Update Clojure to 1.9.0 (addresses CVE-2017-20189)

[roberttaylor426]

CVE-2017-20189 is a critical security vulnerability affecting versions of Clojure prior to 1.9.0.

Can we bump this project's dependency to 1.9.0 and cut a new release?

[weavejester]

This library doesn't use Java deserialization, so it shouldn't be directly affected. The Clojure dependency indicates the minimum version the library is compatible with, and is overridden by whatever version of Clojure the end developer chooses.

As far as I can tell this is therefore only a problem if:

1. The end developer uses deserialization from an untrusted client.
2. The developer does not set their own Clojure version.
3. No other Clojure dependency overrides this one.

In other words, the developer needs to be doing a lot of things wrong for this to become an problem. That said, it might not be a bad idea to update Ring itself to 1.9.0 for the next release, and then update the rest of the projects at the same time.

[roberttaylor426]

Thanks @weavejester, I agree with your points (and from our perspective, this issue has only really created work for us in having to add CVE suppression rules for our dependency-checking tool).

Is there anything I could do to assist with the preparation of the next release for Ring? Is there an established timeline / cadence?

[weavejester]

I'm expecting to get Ring 1.12 out sometime in February. The only major blocker is a fix for synchronous body streams closing too soon. I suspect that a couple of things in the Jetty adapter will need to be reworked because of that.