zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Hunt <ph...@apache.org>
Subject Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1
Date Thu, 26 Sep 2019 15:38:52 GMT
On Thu, Sep 26, 2019 at 3:50 AM Enrico Olivelli <eolivelli@gmail.com> wrote:

> Hi folks,
> all the community is invited to test this release candidate
>
> and we need at least three binding VOTEs
>
>
After seeing Andor's feedback I was waiting for the new RC to be cut. (also
FYI Strata this week) Given we release relatively infrequently it seemed a
better idea to spend an additional few days knocking this one down so it's
not an open question going forward. If folks disagree please state as such
as I'd rather not spend the time reviewing again just to have to review
another RC.

Patrick



> Best regards
> Enrico
>
> Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli <
> eolivelli@gmail.com> ha scritto:
>
> > Links to the details:
> > https://github.com/FasterXML/jackson-databind/issues/2449
> > https://github.com/FasterXML/jackson-databind/issues/2449
> >
> > @Andor Molnár <andor@apache.org>  is it a -1 from your side ?
> >
> > The rush for 3.5.6 is more about delivering a version of ZK without the
> > security issues reported for Jackson Databind, so it may make sense to
> > cancel this vote (but I am not doing it actually)
> > Btw we can't follow the fast pace of DataBind and CVEs
> >
> > This is interesting
> >
> >
> https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
> >
> >
> > As we are not affected but the issues above I suggest to move forward
> with
> > the current tag
> >
> >
> >
> > Enrico
> >
> > Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar
> > <nkalmar@cloudera.com.invalid> ha scritto:
> >
> >> These CVE's do no affect ZooKeeper, both is related to Hikari which is
> not
> >> used at all by ZooKeeper. (It's a JDBC connection pooling library)
> >>
> >>
> https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
> >>
> >>
> >> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <andor@apache.org> wrote:
> >>
> >> > Hi Enrico!
> >> >
> >> > Looks like owasp is reporting 2 new issues with
> >> jackson-databind-2.9.9.3:
> >> >
> >> >
> >> >
> >>
> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html
> >> >
> >> > If I’m not mistaken.
> >> >
> >> > Andor
> >> >
> >> >
> >> >
> >> > > On 2019. Sep 20., at 22:18, Enrico Olivelli <eolivelli@gmail.com>
> >> wrote:
> >> > >
> >> > > This is a bugfix release candidate for 3.5.6.
> >> > >
> >> > > It fixes 27 issues, including upgrade of third party libraries,
> >> > > TTL Node APIs for C API, support for PCKS12 Keystores, and better
> >> > procedure
> >> > > for the upgrade of servers from 3.4 to 3.5.
> >> > >
> >> > > The full release notes is available at:
> >> > >
> >> > >
> >> >
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> >> > >
> >> > > *** Please download, test and vote by September 23th 2019, 23:59
> >> UTC+0.
> >> > ***
> >> > >
> >> > > Source files:
> >> > > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
> >> > >
> >> > > Maven staging repo:
> >> > >
> >> >
> >>
> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
> >> > >
> >> > > The release candidate tag in git to be voted upon: release-3.5.6-rc1
> >> > > https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
> >> > >
> >> > > ZooKeeper's KEYS file containing PGP keys we use to sign the
> release:
> >> > > https://www.apache.org/dist/zookeeper/KEYS
> >> > >
> >> > > Should we release this candidate?
> >> > >
> >> > > Enrico Olivelli
> >> >
> >> >
> >>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message