I have identified two more issues that I'd like to resolve in 1.1.3: One is a trivial version bump: https://issues.apache.org/jira/browse/OMID-259 The other one is enabling TSL v 1.3 : https://issues.apache.org/jira/browse/OMID-305
Please take a look at them. The TLS 1.3 support basically consists of removing manual cipher management. Istvan On Mon, Mar 24, 2025 at 9:00 AM Sönke Liebau <soenke.lie...@stackable.tech.invalid> wrote: > Thank you very much Istvan!!! > > On Mon, Mar 24, 2025 at 8:57 AM Istvan Toth <st...@cloudera.com.invalid> > wrote: > > > As there are no objections, and unfortunately Sönke does not have the > > necessary permissions, I volunteer as an RM and plan to start the 1.1.3 > > release process this week. > > > > Istvan > > > > On Thu, Mar 20, 2025 at 6:40 PM Istvan Toth <st...@cloudera.com> wrote: > > > > > The old hbase-thirdparty is specifically a branch-2.5 issue. > > > > > > As 2.5.12 is a few months off, I think that we could go to 2.6.2 > instead > > > which has the latest HBase-thirdparty. > > > All HBase 2.x versions are wire compatible, so it shouldn't be a > problem. > > > > > > On Wed, Mar 19, 2025 at 11:31 AM Sönke Liebau > > > <soenke.lie...@stackable.tech.invalid> wrote: > > > > > >> Hi Istvan, > > >> > > >> as discussed of list, I also ran a scan for a 1.1.3-SNAPSHOT build, > and > > >> came to similar results (not a perfect match, but an exact science it > > >> ain't > > >> :) > > >> > > >> avro:1.9.2 -> CVE-2024-47561, CVE-2023-394100 > > >> netty-codec-http:4.1.97.Final -> CVE-2024-29025, GHSA-xpw8-rcwv-8f8p > > >> netty-common:4.1.97.Final -> CVE-2024-47535, CVE-2025-25193 > > >> netty-handler:4.1.97.Final -> CVE-2025-24970 > > >> protobuf-java:2.5.0 -> CVE-2021-22569, CVE-2021-22570, CVE-2022-3171, > > >> CVE-2022-3509, CVE-2022-3510, CVE-2024-7254 > > >> > > >> So basically the only thing "extra" in that list is Avro, not sure why > > >> tbh. But that comes in via Hadoop, so nothing to be done there I > guess. > > >> > > >> I have posted the results in a spreadsheet here as well: > > >> > > >> > > > https://docs.google.com/spreadsheets/d/11VvFnIgGksun1J3HolV8wpXmPqThI6tZ1R_8UaUAOsE/edit?gid=1478559804#gid=1478559804 > > >> in case anybody is interested. > > >> I've also included the dependency graphs on extra sheets. > > >> > > >> But basically I'd say this is as good as it is gonna get and as you > > said, > > >> much much much better than 1.1.2 > > >> > > >> Best regards, > > >> Sönke > > >> > > >> On Tue, Mar 18, 2025 at 5:15 PM Istvan Toth > <st...@cloudera.com.invalid > > > > > >> wrote: > > >> > > >> > Thanks for the offer Sönke, but the release process requires > > permissions > > >> > that only PMCs have and there is only so much you could do without > > that. > > >> > > > >> > Unfortunately your screenshot didn't make it to my Gmail. > > >> > Can you attach it or copy-paste the text version ? > > >> > > > >> > Yes, most (on master all) CVEs are transitive from Hadoop and HBase, > > and > > >> > the new versions are still significantly better than 1.1.2 > > >> > > > >> > I've run *mvn clean verify -Powasp-dependency-check > > -DnvdApiKey=<mykey> > > >> * > > >> > to > > >> > get the CVE list > > >> > (You need to update the OWASP plugin version to 11.0.2 , and use at > > >> least > > >> > Java 11) > > >> > > > >> > I don't want to copy paste it here because it's huge, but it's > > >> basically: > > >> > > > >> > - protobuf 2.5.0. which cannot do anything about until Hbase 3 > > >> > - Netty 4.1.97 Final from hbase-thirdparty 4.1.5 > > >> > - Jetty 9.4.52 from hbase-thirdparty 4.1.5 > > >> > - Netty 4.1.100 from Hadoop (see OMID-302) > > >> > - Jetty websocket 9.4.53 from Hadoop. > > >> > > > >> > Not ideal, but MUCH better than 1.1.2, which has about a dozen more > > >> > components with CVEs, many of them REALLY old from Hadoop 3.4.2. > > >> > (HBase should probably have bumped the thirdparty version before > > >> releasing > > >> > 2.5.11, but it's too late now) > > >> > > > >> > Due to the Hadoop->HBase->Omid release timelines, it's unlikely that > > >> we'd > > >> > ever get a fully CVE free release, but we should make an effort at > > >> least. > > >> > > > >> > Istvan > > >> > > > >> > > > >> > > > >> > On Tue, Mar 18, 2025 at 2:31 PM Sönke Liebau > > >> > <soenke.lie...@stackable.tech.invalid> wrote: > > >> > > > >> > > Hi Istvan, > > >> > > > > >> > > I have taken a brief look at the results of our vulnerability > > >> scanning, > > >> > > and while Omid doesn't fare too well there, I think a lot of the > > >> > > vulnerabilities we cannot do much about. > > >> > > > > >> > > 48 of the critical ones are due to jackson databind 2.4.0 which is > > >> still > > >> > > pulled in by the Hadoop version that is used by the HBase version > > omid > > >> > uses > > >> > > (I believe also in the updated version for 1.1.3) which we can't > do > > >> much > > >> > > about in this project I guess.. > > >> > > > > >> > > > > >> > > [image: image.png] > > >> > > > > >> > > Quite a few of the other vulnerabilities also come in via > > >> dependencies of > > >> > > Hadoop, so may vanish with the update. I am happy to build and > scan > > an > > >> > > image with the current master branch to get a comparison and see > if > > >> there > > >> > > are any low hanging fruits remaining, but you probably did that > > >> already > > >> > > yourself? > > >> > > > > >> > > Also, I'd be happy to help with the release, if there is > > documentation > > >> > > that could guide me along the way I could be persuaded to be the > > >> release > > >> > > manager as well, but that may end up just meaning a lot of > questions > > >> for > > >> > > everybody else :) > > >> > > > > >> > > Best regards, > > >> > > Sönke > > >> > > > > >> > > > > >> > > > > >> > > On Tue, Mar 18, 2025 at 10:26 AM Istvan Toth <st...@apache.org> > > >> wrote: > > >> > > > > >> > >> Hi! > > >> > >> > > >> > >> As we're preparing for Phoenix 5.2.2, I have identified a few > > >> transitive > > >> > >> CVEs from Omid. > > >> > >> The last Phoenix release was a year ago, and there are more than > a > > >> dozen > > >> > >> unreleased CVE, build, and dependency version fixes on the master > > >> > branch. > > >> > >> > > >> > >> I propose releasing Omid 1.1.3 from the current master branch. > > >> > >> > > >> > >> Do you have any objections ? > > >> > >> Are there any open issues that should be fixed for 1.1.3 ? > > >> > >> If we decide to release, would anyone volunteer to be the 1.1.3 > > >> Release > > >> > >> Manager ? > > >> > >> > > >> > >> Istvan > > >> > >> > > >> > > > > >> > > > >> > -- > > >> > *István Tóth* | Sr. Staff Software Engineer > > >> > *Email*: st...@cloudera.com > > >> > cloudera.com <https://www.cloudera.com> > > >> > [image: Cloudera] <https://www.cloudera.com/> > > >> > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > > >> > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > > >> Cloudera > > >> > on LinkedIn] <https://www.linkedin.com/company/cloudera> > > >> > ------------------------------ > > >> > ------------------------------ > > >> > > > >> > > > > > > > > > -- > > > *István Tóth* | Sr. Staff Software Engineer > > > *Email*: st...@cloudera.com > > > cloudera.com <https://www.cloudera.com> > > > [image: Cloudera] <https://www.cloudera.com/> > > > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > > > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > > > Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> > > > ------------------------------ > > > ------------------------------ > > > > > > > > > -- > > *István Tóth* | Sr. Staff Software Engineer > > *Email*: st...@cloudera.com > > cloudera.com <https://www.cloudera.com> > > [image: Cloudera] <https://www.cloudera.com/> > > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > Cloudera > > on LinkedIn] <https://www.linkedin.com/company/cloudera> > > ------------------------------ > > ------------------------------ > > > -- *István Tóth* | Sr. Staff Software Engineer *Email*: st...@cloudera.com cloudera.com <https://www.cloudera.com> [image: Cloudera] <https://www.cloudera.com/> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> ------------------------------ ------------------------------
