On Wed, Sep 25, 2024 at 5:37 PM PJ Fanning <fannin...@apache.org> wrote: > The Pekko HTTP 1.1.0 release is the only blocker on releasing Pekko gRPC > 1.1.0.
Nice! > The HTTP release needs 1 more PPMC member approval to proceed [1]. > [1] https://lists.apache.org/thread/9pdjwc38fymspmcg2y5jrwwsb6cjrngo Yes please :) > The Pekko gRPC release is relatively pressing because protobuf-java > has CVE-2024-7254 [2] that we need a new release to uptake. It's possible that Pekko gRPC handles the StackOverflowError caused by CVE-2024-7254 and just fails the request instead of crashing the entire service. If that is the case then CVE-2024-7254 might not be that urgent for us (but of course still good to get out of the way). Kind regards, -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@pekko.apache.org For additional commands, e-mail: dev-h...@pekko.apache.org
