Pekko HTTP 1.1.0 jars should hopefully be released tonight. Pekko gRPC will need a PR to uptake this but then we are good to go for an RC for Pekko gRPC 1.1.0. I can release manage this if noone else is available.
On 2024/09/27 09:24:03 Arnout Engelen wrote: > On Wed, Sep 25, 2024 at 5:37 PM PJ Fanning <fannin...@apache.org> wrote: > > The Pekko HTTP 1.1.0 release is the only blocker on releasing Pekko gRPC > > 1.1.0. > > Nice! > > > The HTTP release needs 1 more PPMC member approval to proceed [1]. > > [1] https://lists.apache.org/thread/9pdjwc38fymspmcg2y5jrwwsb6cjrngo > > Yes please :) > > > The Pekko gRPC release is relatively pressing because protobuf-java > > has CVE-2024-7254 [2] that we need a new release to uptake. > > It's possible that Pekko gRPC handles the StackOverflowError caused by > CVE-2024-7254 and just fails the request instead of crashing the > entire service. If that is the case then CVE-2024-7254 might not be > that urgent for us (but of course still good to get out of the way). > > > Kind regards, > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@pekko.apache.org > For additional commands, e-mail: dev-h...@pekko.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@pekko.apache.org For additional commands, e-mail: dev-h...@pekko.apache.org
