Hi all, BookKeeper 4.16.6 was released on June 26th, 3 months ago, and I would like to discuss starting the 4.16.7 release to include some critical security and bug fixes.
The main reason for driving this release is the need to have a new release for Pulsar 3.0.7 with a fix for Protobuf CVE-2024-7254. That CVE is categorized as high (8.7/10). It's a potential denial-of-service issue that doesn't pose a practical additional risk for BookKeeper or Pulsar users. Since it's in the high category, we must address it before the release. It's necessary to upgrade protobuf-java to 3.25.5 and include a compatible grpc-java version as well. Past experience in Pulsar has taught us that this has been the safest approach to handle protobuf-java upgrades first in BookKeeper and after that in Pulsar. The merged PR to upgrade to protobuf-java 3.25.5 in the master branch is https://github.com/apache/bookkeeper/pull/4508. Here are the current PRs for 4.16.7: https://github.com/apache/bookkeeper/pulls?q=is%3Apr+label%3Arelease%2F4.16.7+is%3Amerged If you have other PRs that you want to be included in this release, please tag the PR with "release/4.16.7" and reply to this thread. I'd like to volunteer as the release manager for this release. I haven't performed this role in the BookKeeper project before, so I hope there's someone who could assist me when I need help. Thanks, -Lari
