Hi all,

BookKeeper 4.17.1 was released on June 26th, about 3 months ago, and I
would like to discuss starting the 4.17.2 release to include some
critical security and bug fixes.

The main reason for driving this release is the need to have a new
release for Pulsar 4.0 with a fix for Protobuf CVE-2024-7254. That CVE
is categorized as high (8.7/10). It's a potential denial-of-service
issue that doesn't pose a practical additional risk for BookKeeper or
Pulsar users. Since it's in the high category, we must address it
before the release.

It's necessary to upgrade protobuf-java to 3.25.5 and include a
compatible grpc-java version as well. I'd suggest that we pick the
most recent stable version of grpc-java that is compatible with
protobuf-java 3.25.5. I'll take a closer look at addressing this in
the upcoming days.
The PR to upgrade to protobuf-java 3.25.5 in the master branch is
https://github.com/apache/bookkeeper/pull/4508.

Regarding Pulsar 4.0, there's a Pulsar dev mailing list discussion
with the updated Pulsar 4.0 timeline at
https://lists.apache.org/thread/qy8xp2ht0htvctlx2cwgrq2ppnjcp4m3. It
also contains a description of the protobuf-java & grpc-java coupling
between Pulsar and BookKeeper. Previous experiences have taught us
that the way to prevent regressions is to first upgrade protobuf-java
and grpc-java in BookKeeper and only after that in Pulsar. There are
some additional details about the challenges in decoupling this in a
thread https://lists.apache.org/thread/odg7p617zwqjngq6fk6qf8xfzbfwgfgq.
However, this decoupling work is not feasible with this timeline and
we'll proceed with the previous procedure.

Here are the current PRs for 4.17.2:
https://github.com/apache/bookkeeper/pulls?q=is%3Apr+label%3Arelease%2F4.17.2+is%3Amerged

If you have other PRs that you want to be included in this release,
please tag the PR with "release/4.17.2" and reply to this thread.

I'd like to volunteer as the release manager for this release. I
haven't performed this role in the BookKeeper project before, so I
hope there's someone who could assist me when I need help.

Thanks,

-Lari

Reply via email to