Thank you very much Istvan!!! On Mon, Mar 24, 2025 at 8:57 AM Istvan Toth <st...@cloudera.com.invalid> wrote:
> As there are no objections, and unfortunately Sönke does not have the > necessary permissions, I volunteer as an RM and plan to start the 1.1.3 > release process this week. > > Istvan > > On Thu, Mar 20, 2025 at 6:40 PM Istvan Toth <st...@cloudera.com> wrote: > > > The old hbase-thirdparty is specifically a branch-2.5 issue. > > > > As 2.5.12 is a few months off, I think that we could go to 2.6.2 instead > > which has the latest HBase-thirdparty. > > All HBase 2.x versions are wire compatible, so it shouldn't be a problem. > > > > On Wed, Mar 19, 2025 at 11:31 AM Sönke Liebau > > <soenke.lie...@stackable.tech.invalid> wrote: > > > >> Hi Istvan, > >> > >> as discussed of list, I also ran a scan for a 1.1.3-SNAPSHOT build, and > >> came to similar results (not a perfect match, but an exact science it > >> ain't > >> :) > >> > >> avro:1.9.2 -> CVE-2024-47561, CVE-2023-394100 > >> netty-codec-http:4.1.97.Final -> CVE-2024-29025, GHSA-xpw8-rcwv-8f8p > >> netty-common:4.1.97.Final -> CVE-2024-47535, CVE-2025-25193 > >> netty-handler:4.1.97.Final -> CVE-2025-24970 > >> protobuf-java:2.5.0 -> CVE-2021-22569, CVE-2021-22570, CVE-2022-3171, > >> CVE-2022-3509, CVE-2022-3510, CVE-2024-7254 > >> > >> So basically the only thing "extra" in that list is Avro, not sure why > >> tbh. But that comes in via Hadoop, so nothing to be done there I guess. > >> > >> I have posted the results in a spreadsheet here as well: > >> > >> > https://docs.google.com/spreadsheets/d/11VvFnIgGksun1J3HolV8wpXmPqThI6tZ1R_8UaUAOsE/edit?gid=1478559804#gid=1478559804 > >> in case anybody is interested. > >> I've also included the dependency graphs on extra sheets. > >> > >> But basically I'd say this is as good as it is gonna get and as you > said, > >> much much much better than 1.1.2 > >> > >> Best regards, > >> Sönke > >> > >> On Tue, Mar 18, 2025 at 5:15 PM Istvan Toth <st...@cloudera.com.invalid > > > >> wrote: > >> > >> > Thanks for the offer Sönke, but the release process requires > permissions > >> > that only PMCs have and there is only so much you could do without > that. > >> > > >> > Unfortunately your screenshot didn't make it to my Gmail. > >> > Can you attach it or copy-paste the text version ? > >> > > >> > Yes, most (on master all) CVEs are transitive from Hadoop and HBase, > and > >> > the new versions are still significantly better than 1.1.2 > >> > > >> > I've run *mvn clean verify -Powasp-dependency-check > -DnvdApiKey=<mykey> > >> * > >> > to > >> > get the CVE list > >> > (You need to update the OWASP plugin version to 11.0.2 , and use at > >> least > >> > Java 11) > >> > > >> > I don't want to copy paste it here because it's huge, but it's > >> basically: > >> > > >> > - protobuf 2.5.0. which cannot do anything about until Hbase 3 > >> > - Netty 4.1.97 Final from hbase-thirdparty 4.1.5 > >> > - Jetty 9.4.52 from hbase-thirdparty 4.1.5 > >> > - Netty 4.1.100 from Hadoop (see OMID-302) > >> > - Jetty websocket 9.4.53 from Hadoop. > >> > > >> > Not ideal, but MUCH better than 1.1.2, which has about a dozen more > >> > components with CVEs, many of them REALLY old from Hadoop 3.4.2. > >> > (HBase should probably have bumped the thirdparty version before > >> releasing > >> > 2.5.11, but it's too late now) > >> > > >> > Due to the Hadoop->HBase->Omid release timelines, it's unlikely that > >> we'd > >> > ever get a fully CVE free release, but we should make an effort at > >> least. > >> > > >> > Istvan > >> > > >> > > >> > > >> > On Tue, Mar 18, 2025 at 2:31 PM Sönke Liebau > >> > <soenke.lie...@stackable.tech.invalid> wrote: > >> > > >> > > Hi Istvan, > >> > > > >> > > I have taken a brief look at the results of our vulnerability > >> scanning, > >> > > and while Omid doesn't fare too well there, I think a lot of the > >> > > vulnerabilities we cannot do much about. > >> > > > >> > > 48 of the critical ones are due to jackson databind 2.4.0 which is > >> still > >> > > pulled in by the Hadoop version that is used by the HBase version > omid > >> > uses > >> > > (I believe also in the updated version for 1.1.3) which we can't do > >> much > >> > > about in this project I guess.. > >> > > > >> > > > >> > > [image: image.png] > >> > > > >> > > Quite a few of the other vulnerabilities also come in via > >> dependencies of > >> > > Hadoop, so may vanish with the update. I am happy to build and scan > an > >> > > image with the current master branch to get a comparison and see if > >> there > >> > > are any low hanging fruits remaining, but you probably did that > >> already > >> > > yourself? > >> > > > >> > > Also, I'd be happy to help with the release, if there is > documentation > >> > > that could guide me along the way I could be persuaded to be the > >> release > >> > > manager as well, but that may end up just meaning a lot of questions > >> for > >> > > everybody else :) > >> > > > >> > > Best regards, > >> > > Sönke > >> > > > >> > > > >> > > > >> > > On Tue, Mar 18, 2025 at 10:26 AM Istvan Toth <st...@apache.org> > >> wrote: > >> > > > >> > >> Hi! > >> > >> > >> > >> As we're preparing for Phoenix 5.2.2, I have identified a few > >> transitive > >> > >> CVEs from Omid. > >> > >> The last Phoenix release was a year ago, and there are more than a > >> dozen > >> > >> unreleased CVE, build, and dependency version fixes on the master > >> > branch. > >> > >> > >> > >> I propose releasing Omid 1.1.3 from the current master branch. > >> > >> > >> > >> Do you have any objections ? > >> > >> Are there any open issues that should be fixed for 1.1.3 ? > >> > >> If we decide to release, would anyone volunteer to be the 1.1.3 > >> Release > >> > >> Manager ? > >> > >> > >> > >> Istvan > >> > >> > >> > > > >> > > >> > -- > >> > *István Tóth* | Sr. Staff Software Engineer > >> > *Email*: st...@cloudera.com > >> > cloudera.com <https://www.cloudera.com> > >> > [image: Cloudera] <https://www.cloudera.com/> > >> > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > >> > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > >> Cloudera > >> > on LinkedIn] <https://www.linkedin.com/company/cloudera> > >> > ------------------------------ > >> > ------------------------------ > >> > > >> > > > > > > -- > > *István Tóth* | Sr. Staff Software Engineer > > *Email*: st...@cloudera.com > > cloudera.com <https://www.cloudera.com> > > [image: Cloudera] <https://www.cloudera.com/> > > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > > Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> > > ------------------------------ > > ------------------------------ > > > > > -- > *István Tóth* | Sr. Staff Software Engineer > *Email*: st...@cloudera.com > cloudera.com <https://www.cloudera.com> > [image: Cloudera] <https://www.cloudera.com/> > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera > on LinkedIn] <https://www.linkedin.com/company/cloudera> > ------------------------------ > ------------------------------ >
