zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andor Molnar <an...@apache.org>
Subject Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2
Date Tue, 01 Oct 2019 08:38:54 GMT
Backporting Netty 4 would be a huge, cumbersome task, I hope we don’t have to do it.

However I had a quick look at the details of this CVE and it seems to me that it only affects
the HTTP codec:
https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95

Can’t we just say 3.4.14 is not affected?
We’re not running HTTP server inside ZooKeeper.

Otherwise we might be able to release 3.6.0-alpha1 now, put a date for 3.4 EOL and highlight
on the webpage that this 
CVE probably won’t be resolved on that branch, please upgrade to 3.5.

As a third option we could ask Norman to kindly fix 3.10.6.Final as well… or submit a PR
ourselves, it doesn’t seem to me a big deal.

What do you think?

Andor




> On 2019. Oct 1., at 2:00, Patrick Hunt <phunt@apache.org> wrote:
> 
> I pushed patches for 3.5 and trunk and the tests passed on my mac. However
> 3.4 is using netty 3.10.6.Final and as such it's not a simple upgrade.
> (there are no fixes against 3.10 for this CVE, at least not so far) Not
> sure what we want to do about this... someone would need to backport the
> netty 4.1 changes into 3.4 afaict.
> 
> Patrick
> 
> On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <phunt@apache.org> wrote:
> 
>> I'll work on it today.
>> 
>> Patrick
>> 
>> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <eolivelli@gmail.com>
>> wrote:
>> 
>>> Okay
>>> 
>>> I am cancelling the release.
>>> 
>>> I have a problem with my box, I can't work on netty upgrade.
>>> 
>>> Any volounteer?
>>> 
>>> Enrico
>>> 
>>> Il lun 30 set 2019, 20:32 Andor Molnar <andor@apache.org> ha scritto:
>>> 
>>>> The good news is: we need to release 3.4.15 too. :)
>>>> 
>>>> Andor
>>>> 
>>>> 
>>>> 
>>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <phunt@apache.org> wrote:
>>>>> 
>>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563
>>>>> 
>>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <phunt@apache.org>
>>> wrote:
>>>>> 
>>>>>> -1 - when I run dependency check on the release candidate artifact
>>> it's
>>>>>> failing with:
>>>>>> 
>>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869
>>>>>> 
>>>>>> I ran this on trunk and it's passing, as such it must be an issue
>>> with
>>>> the
>>>>>> the 3.5.6 netty version specifically. It's listed as a high, we
>>> should
>>>>>> patch this as well before releasing.
>>>>>> 
>>>>>> Patrick
>>>>>> 
>>>>>> 
>>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <eolivelli@gmail.com
>>>> 
>>>>>> wrote:
>>>>>> 
>>>>>>> This is a bugfix release candidate for 3.5.6.
>>>>>>> 
>>>>>>> It fixes 28 issues, including upgrade of third party libraries,
>>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better
>>>>>>> procedure
>>>>>>> for the upgrade of servers from 3.4 to 3.5.
>>>>>>> 
>>>>>>> The full release notes is available at:
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>> 
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
>>>>>>> 
>>>>>>> *** Please download, test and vote by October 2nd 2019, 23:59
UTC+0.
>>>> ***
>>>>>>> 
>>>>>>> Source files:
>>>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2
>>>>>>> 
>>>>>>> Maven staging repo:
>>>>>>> 
>>>>>>> 
>>>> 
>>> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/
>>>>>>> 
>>>>>>> The release candidate tag in git to be voted upon: release-3.5.6-rc2
>>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2
>>>>>>> 
>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
>>> release:
>>>>>>> https://www.apache.org/dist/zookeeper/KEYS
>>>>>>> 
>>>>>>> Should we release this candidate?
>>>>>>> Enrico Olivelli
>>>>>>> 
>>>>>> 
>>>> 
>>>> 
>>> 
>> 


Mime
View raw message