As there are no objections, and unfortunately Sönke does not have the necessary permissions, I volunteer as an RM and plan to start the 1.1.3 release process this week.
Istvan On Thu, Mar 20, 2025 at 6:40 PM Istvan Toth <st...@cloudera.com> wrote: > The old hbase-thirdparty is specifically a branch-2.5 issue. > > As 2.5.12 is a few months off, I think that we could go to 2.6.2 instead > which has the latest HBase-thirdparty. > All HBase 2.x versions are wire compatible, so it shouldn't be a problem. > > On Wed, Mar 19, 2025 at 11:31 AM Sönke Liebau > <soenke.lie...@stackable.tech.invalid> wrote: > >> Hi Istvan, >> >> as discussed of list, I also ran a scan for a 1.1.3-SNAPSHOT build, and >> came to similar results (not a perfect match, but an exact science it >> ain't >> :) >> >> avro:1.9.2 -> CVE-2024-47561, CVE-2023-394100 >> netty-codec-http:4.1.97.Final -> CVE-2024-29025, GHSA-xpw8-rcwv-8f8p >> netty-common:4.1.97.Final -> CVE-2024-47535, CVE-2025-25193 >> netty-handler:4.1.97.Final -> CVE-2025-24970 >> protobuf-java:2.5.0 -> CVE-2021-22569, CVE-2021-22570, CVE-2022-3171, >> CVE-2022-3509, CVE-2022-3510, CVE-2024-7254 >> >> So basically the only thing "extra" in that list is Avro, not sure why >> tbh. But that comes in via Hadoop, so nothing to be done there I guess. >> >> I have posted the results in a spreadsheet here as well: >> >> https://docs.google.com/spreadsheets/d/11VvFnIgGksun1J3HolV8wpXmPqThI6tZ1R_8UaUAOsE/edit?gid=1478559804#gid=1478559804 >> in case anybody is interested. >> I've also included the dependency graphs on extra sheets. >> >> But basically I'd say this is as good as it is gonna get and as you said, >> much much much better than 1.1.2 >> >> Best regards, >> Sönke >> >> On Tue, Mar 18, 2025 at 5:15 PM Istvan Toth <st...@cloudera.com.invalid> >> wrote: >> >> > Thanks for the offer Sönke, but the release process requires permissions >> > that only PMCs have and there is only so much you could do without that. >> > >> > Unfortunately your screenshot didn't make it to my Gmail. >> > Can you attach it or copy-paste the text version ? >> > >> > Yes, most (on master all) CVEs are transitive from Hadoop and HBase, and >> > the new versions are still significantly better than 1.1.2 >> > >> > I've run *mvn clean verify -Powasp-dependency-check -DnvdApiKey=<mykey> >> * >> > to >> > get the CVE list >> > (You need to update the OWASP plugin version to 11.0.2 , and use at >> least >> > Java 11) >> > >> > I don't want to copy paste it here because it's huge, but it's >> basically: >> > >> > - protobuf 2.5.0. which cannot do anything about until Hbase 3 >> > - Netty 4.1.97 Final from hbase-thirdparty 4.1.5 >> > - Jetty 9.4.52 from hbase-thirdparty 4.1.5 >> > - Netty 4.1.100 from Hadoop (see OMID-302) >> > - Jetty websocket 9.4.53 from Hadoop. >> > >> > Not ideal, but MUCH better than 1.1.2, which has about a dozen more >> > components with CVEs, many of them REALLY old from Hadoop 3.4.2. >> > (HBase should probably have bumped the thirdparty version before >> releasing >> > 2.5.11, but it's too late now) >> > >> > Due to the Hadoop->HBase->Omid release timelines, it's unlikely that >> we'd >> > ever get a fully CVE free release, but we should make an effort at >> least. >> > >> > Istvan >> > >> > >> > >> > On Tue, Mar 18, 2025 at 2:31 PM Sönke Liebau >> > <soenke.lie...@stackable.tech.invalid> wrote: >> > >> > > Hi Istvan, >> > > >> > > I have taken a brief look at the results of our vulnerability >> scanning, >> > > and while Omid doesn't fare too well there, I think a lot of the >> > > vulnerabilities we cannot do much about. >> > > >> > > 48 of the critical ones are due to jackson databind 2.4.0 which is >> still >> > > pulled in by the Hadoop version that is used by the HBase version omid >> > uses >> > > (I believe also in the updated version for 1.1.3) which we can't do >> much >> > > about in this project I guess.. >> > > >> > > >> > > [image: image.png] >> > > >> > > Quite a few of the other vulnerabilities also come in via >> dependencies of >> > > Hadoop, so may vanish with the update. I am happy to build and scan an >> > > image with the current master branch to get a comparison and see if >> there >> > > are any low hanging fruits remaining, but you probably did that >> already >> > > yourself? >> > > >> > > Also, I'd be happy to help with the release, if there is documentation >> > > that could guide me along the way I could be persuaded to be the >> release >> > > manager as well, but that may end up just meaning a lot of questions >> for >> > > everybody else :) >> > > >> > > Best regards, >> > > Sönke >> > > >> > > >> > > >> > > On Tue, Mar 18, 2025 at 10:26 AM Istvan Toth <st...@apache.org> >> wrote: >> > > >> > >> Hi! >> > >> >> > >> As we're preparing for Phoenix 5.2.2, I have identified a few >> transitive >> > >> CVEs from Omid. >> > >> The last Phoenix release was a year ago, and there are more than a >> dozen >> > >> unreleased CVE, build, and dependency version fixes on the master >> > branch. >> > >> >> > >> I propose releasing Omid 1.1.3 from the current master branch. >> > >> >> > >> Do you have any objections ? >> > >> Are there any open issues that should be fixed for 1.1.3 ? >> > >> If we decide to release, would anyone volunteer to be the 1.1.3 >> Release >> > >> Manager ? >> > >> >> > >> Istvan >> > >> >> > > >> > >> > -- >> > *István Tóth* | Sr. Staff Software Engineer >> > *Email*: st...@cloudera.com >> > cloudera.com <https://www.cloudera.com> >> > [image: Cloudera] <https://www.cloudera.com/> >> > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: >> > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: >> Cloudera >> > on LinkedIn] <https://www.linkedin.com/company/cloudera> >> > ------------------------------ >> > ------------------------------ >> > >> > > > -- > *István Tóth* | Sr. Staff Software Engineer > *Email*: st...@cloudera.com > cloudera.com <https://www.cloudera.com> > [image: Cloudera] <https://www.cloudera.com/> > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> > ------------------------------ > ------------------------------ > -- *István Tóth* | Sr. Staff Software Engineer *Email*: st...@cloudera.com cloudera.com <https://www.cloudera.com> [image: Cloudera] <https://www.cloudera.com/> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> ------------------------------ ------------------------------
