zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrico Olivelli <eolive...@gmail.com>
Subject Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1
Date Thu, 26 Sep 2019 07:50:29 GMT
Hi folks,
all the community is invited to test this release candidate

and we need at least three binding VOTEs

Best regards
Enrico

Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli <
eolivelli@gmail.com> ha scritto:

> Links to the details:
> https://github.com/FasterXML/jackson-databind/issues/2449
> https://github.com/FasterXML/jackson-databind/issues/2449
>
> @Andor Molnár <andor@apache.org>  is it a -1 from your side ?
>
> The rush for 3.5.6 is more about delivering a version of ZK without the
> security issues reported for Jackson Databind, so it may make sense to
> cancel this vote (but I am not doing it actually)
> Btw we can't follow the fast pace of DataBind and CVEs
>
> This is interesting
>
> https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
>
>
> As we are not affected but the issues above I suggest to move forward with
> the current tag
>
>
>
> Enrico
>
> Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar
> <nkalmar@cloudera.com.invalid> ha scritto:
>
>> These CVE's do no affect ZooKeeper, both is related to Hikari which is not
>> used at all by ZooKeeper. (It's a JDBC connection pooling library)
>>
>> https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
>>
>>
>> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <andor@apache.org> wrote:
>>
>> > Hi Enrico!
>> >
>> > Looks like owasp is reporting 2 new issues with
>> jackson-databind-2.9.9.3:
>> >
>> >
>> >
>> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html
>> >
>> > If I’m not mistaken.
>> >
>> > Andor
>> >
>> >
>> >
>> > > On 2019. Sep 20., at 22:18, Enrico Olivelli <eolivelli@gmail.com>
>> wrote:
>> > >
>> > > This is a bugfix release candidate for 3.5.6.
>> > >
>> > > It fixes 27 issues, including upgrade of third party libraries,
>> > > TTL Node APIs for C API, support for PCKS12 Keystores, and better
>> > procedure
>> > > for the upgrade of servers from 3.4 to 3.5.
>> > >
>> > > The full release notes is available at:
>> > >
>> > >
>> >
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
>> > >
>> > > *** Please download, test and vote by September 23th 2019, 23:59
>> UTC+0.
>> > ***
>> > >
>> > > Source files:
>> > > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
>> > >
>> > > Maven staging repo:
>> > >
>> >
>> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
>> > >
>> > > The release candidate tag in git to be voted upon: release-3.5.6-rc1
>> > > https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
>> > >
>> > > ZooKeeper's KEYS file containing PGP keys we use to sign the release:
>> > > https://www.apache.org/dist/zookeeper/KEYS
>> > >
>> > > Should we release this candidate?
>> > >
>> > > Enrico Olivelli
>> >
>> >
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message