zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrico Olivelli <eolive...@gmail.com>
Subject Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1
Date Mon, 23 Sep 2019 09:22:08 GMT
Links to the details:
https://github.com/FasterXML/jackson-databind/issues/2449
https://github.com/FasterXML/jackson-databind/issues/2449

@Andor Molnár <andor@apache.org>  is it a -1 from your side ?

The rush for 3.5.6 is more about delivering a version of ZK without the
security issues reported for Jackson Databind, so it may make sense to
cancel this vote (but I am not doing it actually)
Btw we can't follow the fast pace of DataBind and CVEs

This is interesting
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062


As we are not affected but the issues above I suggest to move forward with
the current tag



Enrico

Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar
<nkalmar@cloudera.com.invalid> ha scritto:

> These CVE's do no affect ZooKeeper, both is related to Hikari which is not
> used at all by ZooKeeper. (It's a JDBC connection pooling library)
>
> https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
>
>
> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <andor@apache.org> wrote:
>
> > Hi Enrico!
> >
> > Looks like owasp is reporting 2 new issues with jackson-databind-2.9.9.3:
> >
> >
> >
> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html
> >
> > If I’m not mistaken.
> >
> > Andor
> >
> >
> >
> > > On 2019. Sep 20., at 22:18, Enrico Olivelli <eolivelli@gmail.com>
> wrote:
> > >
> > > This is a bugfix release candidate for 3.5.6.
> > >
> > > It fixes 27 issues, including upgrade of third party libraries,
> > > TTL Node APIs for C API, support for PCKS12 Keystores, and better
> > procedure
> > > for the upgrade of servers from 3.4 to 3.5.
> > >
> > > The full release notes is available at:
> > >
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> > >
> > > *** Please download, test and vote by September 23th 2019, 23:59 UTC+0.
> > ***
> > >
> > > Source files:
> > > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
> > >
> > > Maven staging repo:
> > >
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
> > >
> > > The release candidate tag in git to be voted upon: release-3.5.6-rc1
> > > https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
> > >
> > > ZooKeeper's KEYS file containing PGP keys we use to sign the release:
> > > https://www.apache.org/dist/zookeeper/KEYS
> > >
> > > Should we release this candidate?
> > >
> > > Enrico Olivelli
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message