Hi Istvan, I have taken a brief look at the results of our vulnerability scanning, and while Omid doesn't fare too well there, I think a lot of the vulnerabilities we cannot do much about.
48 of the critical ones are due to jackson databind 2.4.0 which is still pulled in by the Hadoop version that is used by the HBase version omid uses (I believe also in the updated version for 1.1.3) which we can't do much about in this project I guess.. [image: image.png] Quite a few of the other vulnerabilities also come in via dependencies of Hadoop, so may vanish with the update. I am happy to build and scan an image with the current master branch to get a comparison and see if there are any low hanging fruits remaining, but you probably did that already yourself? Also, I'd be happy to help with the release, if there is documentation that could guide me along the way I could be persuaded to be the release manager as well, but that may end up just meaning a lot of questions for everybody else :) Best regards, Sönke On Tue, Mar 18, 2025 at 10:26 AM Istvan Toth <st...@apache.org> wrote: > Hi! > > As we're preparing for Phoenix 5.2.2, I have identified a few transitive > CVEs from Omid. > The last Phoenix release was a year ago, and there are more than a dozen > unreleased CVE, build, and dependency version fixes on the master branch. > > I propose releasing Omid 1.1.3 from the current master branch. > > Do you have any objections ? > Are there any open issues that should be fixed for 1.1.3 ? > If we decide to release, would anyone volunteer to be the 1.1.3 Release > Manager ? > > Istvan >
