still checking however there is at least one finding I would like to highlight currently elasticsearch connector depends on jackson-bom 2.13.2.20220328 which has 2 CVEs CVE-2022-42003[1] CVE-2022-42004[2] fixed in 2.13.4.20221013 [3] Does it make sense to include it in this version?
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42003 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42004 [3] https://github.com/FasterXML/jackson-databind/issues/3590#issue-1362567066 On Wed, Nov 2, 2022 at 12:01 PM Chesnay Schepler <ches...@apache.org> wrote: > Hi everyone, > Please review and vote on the release candidate #1 for the version > 3.0.0, as follows: > [ ] +1, Approve the release > [ ] -1, Do not approve the release (please provide specific comments) > > The complete staging area is available for your review, which includes: > * JIRA release notes [1], > * the official Apache source release to be deployed to dist.apache.org > [2], which are signed with the key with fingerprint C2EED7B111D464BA [3], > * all artifacts to be deployed to the Maven Central Repository [4], > * source code tag [5], > * website pull request listing the new release [6]. > > The vote will be open for at least 72 hours. It is adopted by majority > approval, with at least 3 PMC affirmative votes. > > Note: This is the first release of an externalized connector, relying on > a new set of scripts. Double-check _everything_. > > Thanks, > Release Manager > > [1] https://issues.apache.org/jira/projects/FLINK/versions/12352291 > [2] > > https://dist.apache.org/repos/dist/dev/flink/flink-connector-elasticsearch-3.0.0-rc1/ > [3] https://dist.apache.org/repos/dist/release/flink/KEYS > [4] > https://repository.apache.org/content/repositories/orgapacheflink-1543/ > [5] > > https://github.com/apache/flink-connector-elasticsearch/releases/tag/v3.0.0-rc1 > [6] https://github.com/apache/flink-web/pull/579 > > -- Best regards, Sergey
