Hi Istvan,

I have taken a brief look at the results of our vulnerability scanning, and
while Omid doesn't fare too well there, I think a lot of the
vulnerabilities we cannot do much about.

48 of the critical ones are due to jackson databind 2.4.0 which is still
pulled in by the Hadoop version that is used by the HBase version omid uses
(I believe also in the updated version for 1.1.3) which we can't do much
about in this project I guess..


[image: image.png]

Quite a few of the other vulnerabilities also come in via dependencies of
Hadoop, so may vanish with the update. I am happy to build and scan an
image with the current master branch to get a comparison and see if there
are any low hanging fruits remaining, but you probably did that already
yourself?

Also, I'd be happy to help with the release, if there is documentation that
could guide me along the way I could be persuaded to be the release manager
as well, but that may end up just meaning a lot of questions for everybody
else :)

Best regards,
Sönke



On Tue, Mar 18, 2025 at 10:26 AM Istvan Toth <st...@apache.org> wrote:

> Hi!
>
> As we're preparing for Phoenix 5.2.2, I have identified a few transitive
> CVEs from Omid.
> The last Phoenix release was a year ago, and there are more than a dozen
> unreleased CVE, build, and dependency version fixes on the master branch.
>
> I propose releasing Omid 1.1.3 from the current master branch.
>
> Do you have any objections ?
> Are there any open issues that should be fixed for 1.1.3 ?
> If we decide to release, would anyone volunteer to be the 1.1.3 Release
> Manager ?
>
> Istvan
>

Reply via email to