zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andor Molnar <an...@apache.org>
Subject Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1
Date Thu, 26 Sep 2019 18:16:45 GMT
Sorry I was busy with company work and didn’t have much time for ZooKeeper. I was not sure
about whether I have to -1 because of those new CVEs, but if we can upgrade relatively quickly
(bumping version numbers), then I think we should do it even if the problem doesn’t affect
us directly. (owasp build will be red anyways)

Enrico, how much effort would be to upgrade Jackson libs again?

Sorry about that.

Andor




> On 2019. Sep 26., at 17:38, Patrick Hunt <phunt@apache.org> wrote:
> 
> On Thu, Sep 26, 2019 at 3:50 AM Enrico Olivelli <eolivelli@gmail.com> wrote:
> 
>> Hi folks,
>> all the community is invited to test this release candidate
>> 
>> and we need at least three binding VOTEs
>> 
>> 
> After seeing Andor's feedback I was waiting for the new RC to be cut. (also
> FYI Strata this week) Given we release relatively infrequently it seemed a
> better idea to spend an additional few days knocking this one down so it's
> not an open question going forward. If folks disagree please state as such
> as I'd rather not spend the time reviewing again just to have to review
> another RC.
> 
> Patrick
> 
> 
> 
>> Best regards
>> Enrico
>> 
>> Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli <
>> eolivelli@gmail.com> ha scritto:
>> 
>>> Links to the details:
>>> https://github.com/FasterXML/jackson-databind/issues/2449
>>> https://github.com/FasterXML/jackson-databind/issues/2449
>>> 
>>> @Andor Molnár <andor@apache.org>  is it a -1 from your side ?
>>> 
>>> The rush for 3.5.6 is more about delivering a version of ZK without the
>>> security issues reported for Jackson Databind, so it may make sense to
>>> cancel this vote (but I am not doing it actually)
>>> Btw we can't follow the fast pace of DataBind and CVEs
>>> 
>>> This is interesting
>>> 
>>> 
>> https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
>>> 
>>> 
>>> As we are not affected but the issues above I suggest to move forward
>> with
>>> the current tag
>>> 
>>> 
>>> 
>>> Enrico
>>> 
>>> Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar
>>> <nkalmar@cloudera.com.invalid> ha scritto:
>>> 
>>>> These CVE's do no affect ZooKeeper, both is related to Hikari which is
>> not
>>>> used at all by ZooKeeper. (It's a JDBC connection pooling library)
>>>> 
>>>> 
>> https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
>>>> 
>>>> 
>>>> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <andor@apache.org> wrote:
>>>> 
>>>>> Hi Enrico!
>>>>> 
>>>>> Looks like owasp is reporting 2 new issues with
>>>> jackson-databind-2.9.9.3:
>>>>> 
>>>>> 
>>>>> 
>>>> 
>> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html
>>>>> 
>>>>> If I’m not mistaken.
>>>>> 
>>>>> Andor
>>>>> 
>>>>> 
>>>>> 
>>>>>> On 2019. Sep 20., at 22:18, Enrico Olivelli <eolivelli@gmail.com>
>>>> wrote:
>>>>>> 
>>>>>> This is a bugfix release candidate for 3.5.6.
>>>>>> 
>>>>>> It fixes 27 issues, including upgrade of third party libraries,
>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better
>>>>> procedure
>>>>>> for the upgrade of servers from 3.4 to 3.5.
>>>>>> 
>>>>>> The full release notes is available at:
>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
>>>>>> 
>>>>>> *** Please download, test and vote by September 23th 2019, 23:59
>>>> UTC+0.
>>>>> ***
>>>>>> 
>>>>>> Source files:
>>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
>>>>>> 
>>>>>> Maven staging repo:
>>>>>> 
>>>>> 
>>>> 
>> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
>>>>>> 
>>>>>> The release candidate tag in git to be voted upon: release-3.5.6-rc1
>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
>>>>>> 
>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
>> release:
>>>>>> https://www.apache.org/dist/zookeeper/KEYS
>>>>>> 
>>>>>> Should we release this candidate?
>>>>>> 
>>>>>> Enrico Olivelli
>>>>> 
>>>>> 
>>>> 
>>> 
>> 


Mime
View raw message