lhotari commented on issue #25783: URL: https://github.com/apache/pulsar/issues/25783#issuecomment-4517515854
> > It seems that https://issues.apache.org/jira/browse/AVRO-4209 doesn't apply to 1.11.x at all. I'll create a PR to upgrade Pulsar 4.0.x branch to use 1.11.5. > > [@lhotari](https://github.com/lhotari) Any update by when the version upgrade to 1.11.5 will be done? The cadence of OSS release for Pulsar is 1 to 3 months. The last release was started on Apr 23rd. ETA is first week of June. In our project each release has a relative high overhead so that's the reason of the release cadence. For extremely critical bugs or security issues, there's a fast path. Since CVE-2025-33042 is considered "6.9 / 10 Moderate" in GH security advisory, it doesn't trigger the fast path for releasing a patch. The upgrade for 1.11.5 should have been made earlier for branch-4.0 since there is a commitment for LTS releases (Pulsar 4.0) to address all CVEs that don't cause breaking changes even when they aren't high severity CVEs. I missed the fact earlier that 1.11.5 doesn't contain AVRO-4209. One reason is that branch-4.0 upgraded to Avro 12.x, but it was later rolled back to 11.x due to breaking changes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
