Thank you. For reference, I've run OWASP a few weeks ago, and didn't find any direct java CVEs (apart from Protobuf 2.5.0) There were some transitive CVEs, mainly from Hadoop, and HBase 2.5, as well as some JavaScript ones.
We should really remove/replace HTrace sooner than later.... (but that's not a blocker for 5.2.2) Istvan On Mon, Apr 28, 2025 at 6:39 PM Lokesh Khurana <khuranalokes...@gmail.com> wrote: > Sorry for the delayed response, > > I think we are ready for 5.2.2, I'll go ahead with the next steps and start > the process today. > > Thanks > > On Wed, Apr 9, 2025 at 12:00 AM Istvan Toth <st...@cloudera.com.invalid> > wrote: > > > I've updated to Omid 1.1.3 > > > > Unless someone has blockers, we can go ahead with the process. > > The next step is running the security scanners and updating any > components > > with known CVEs. > > (Where a fixed version is available and usable) > > > > Istvan > > > > On Fri, Mar 14, 2025 at 6:18 PM Istvan Toth <st...@cloudera.com> wrote: > > > > > Sure, we're glad you've volunteered for Phoenix. > > > > > > We will find another RM for Omid if needed. > > > > > > Istvan > > > > > > On Fri, Mar 14, 2025 at 5:40 PM Lokesh Khurana < > > khuranalokes...@gmail.com> > > > wrote: > > > > > >> I don't have much idea about Omid, if it's okay I would like to focus > on > > >> Phoenix only? > > >> > > >> Thanks > > >> > > >> On Fri, Mar 14, 2025 at 9:11 AM Istvan Toth > <st...@cloudera.com.invalid > > > > > >> wrote: > > >> > > >> > Thanks a lot Lokesh. > > >> > > > >> > I know it's a stretch, but if we decide to also do an Omid release > can > > >> you > > >> > manage that as well ? > > >> > > > >> > Istvan > > >> > > > >> > On Fri, Mar 14, 2025 at 4:40 PM Lokesh Khurana < > > >> khuranalokes...@gmail.com> > > >> > wrote: > > >> > > > >> > > Hi Istvan, Viraj > > >> > > > > >> > > I would like to volunteer for Phoenix 5.2.2 RM > > >> > > > > >> > > Thanks > > >> > > > > >> > > On Fri, Mar 14, 2025 at 1:50 AM Istvan Toth > > >> <st...@cloudera.com.invalid> > > >> > > wrote: > > >> > > > > >> > > > Checking the OWASP output, we have a few CVEs coming from Omid. > > >> > > > > > >> > > > Should we do a CVE fix release of Omid before 5.2.2 ? > > >> > > > > > >> > > > Istvan > > >> > > > > > >> > > > On Fri, Mar 14, 2025 at 7:17 AM Istvan Toth <st...@cloudera.com > > > > >> > wrote: > > >> > > > > > >> > > > > Thank you. > > >> > > > > It turns out that I haven't actually committed the PR for > HBase > > >> > > 2.5.11. I > > >> > > > > have done that now. > > >> > > > > > > >> > > > > Istvan > > >> > > > > > > >> > > > > On Thu, Mar 13, 2025 at 8:58 PM Viraj Jasani < > > vjas...@apache.org> > > >> > > wrote: > > >> > > > > > > >> > > > >> This would be great! We need to take one final round of CVE > > list > > >> to > > >> > > > ensure > > >> > > > >> we have covered majority that we can. > > >> > > > >> Otherwise, we will mostly see backport of PHOENIX-5117 to 5.2 > > >> branch > > >> > > by > > >> > > > >> Palash, it should be useful. Once done, we can start 5.2.2 > > >> release > > >> > > soon. > > >> > > > >> > > >> > > > >> While I am not volunteering for 5.2.2, Lokesh might be > > >> interested. > > >> > > > >> > > >> > > > >> > > >> > > > >> On Wed, Mar 12, 2025 at 10:50 PM Istvan Toth < > st...@apache.org > > > > > >> > > wrote: > > >> > > > >> > > >> > > > >> > Hi! > > >> > > > >> > > > >> > > > >> > I've merged the Hadoop 2.6.2/2.511 updates to Phoenix. > > >> > > > >> > I think that the ConnectionInfo pref regression is also > > fixed. > > >> > > > >> > > > >> > > > >> > I think that this would be a good time to start working on > a > > >> 5.2.2 > > >> > > > >> release > > >> > > > >> > to fix the ConnectionInfo issues and to minimize our CVE > > >> exposure. > > >> > > > >> > > > >> > > > >> > WDYT ? Do you have outstanding issues that you want fixed > in > > >> > 5.2.2 ? > > >> > > > >> > Do you have some other objection to starting the release > > >> process > > >> > > > >> soon-ish ? > > >> > > > >> > > > >> > > > >> > The only outstanding task in my mind is the regular > > pre-release > > >> > CVE > > >> > > > >> check > > >> > > > >> > and fix pass. > > >> > > > >> > It would also be great to improve test stability, but I do > > not > > >> > > > >> > consider that a blocker. > > >> > > > >> > > > >> > > > >> > If we agree on the release, would someone volunteer to be > the > > >> RM ? > > >> > > > >> > > > >> > > > >> > Istvan > > >> > > > >> > > > >> > > > >> > > >> > > > > > > >> > > > > > > >> > > > > -- > > >> > > > > *István Tóth* | Sr. Staff Software Engineer > > >> > > > > *Email*: st...@cloudera.com > > >> > > > > cloudera.com <https://www.cloudera.com> > > >> > > > > [image: Cloudera] <https://www.cloudera.com/> > > >> > > > > [image: Cloudera on Twitter] <https://twitter.com/cloudera> > > >> [image: > > >> > > > > Cloudera on Facebook] <https://www.facebook.com/cloudera> > > [image: > > >> > > > > Cloudera on LinkedIn] < > > https://www.linkedin.com/company/cloudera> > > >> > > > > ------------------------------ > > >> > > > > ------------------------------ > > >> > > > > > > >> > > > > > >> > > > > > >> > > > -- > > >> > > > *István Tóth* | Sr. Staff Software Engineer > > >> > > > *Email*: st...@cloudera.com > > >> > > > cloudera.com <https://www.cloudera.com> > > >> > > > [image: Cloudera] <https://www.cloudera.com/> > > >> > > > [image: Cloudera on Twitter] <https://twitter.com/cloudera> > > [image: > > >> > > > Cloudera on Facebook] <https://www.facebook.com/cloudera> > [image: > > >> > > Cloudera > > >> > > > on LinkedIn] <https://www.linkedin.com/company/cloudera> > > >> > > > ------------------------------ > > >> > > > ------------------------------ > > >> > > > > > >> > > > > >> > > > >> > > > >> > -- > > >> > *István Tóth* | Sr. Staff Software Engineer > > >> > *Email*: st...@cloudera.com > > >> > cloudera.com <https://www.cloudera.com> > > >> > [image: Cloudera] <https://www.cloudera.com/> > > >> > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > > >> > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > > >> Cloudera > > >> > on LinkedIn] <https://www.linkedin.com/company/cloudera> > > >> > ------------------------------ > > >> > ------------------------------ > > >> > > > >> > > > > > > > > > -- > > > *István Tóth* | Sr. Staff Software Engineer > > > *Email*: st...@cloudera.com > > > cloudera.com <https://www.cloudera.com> > > > [image: Cloudera] <https://www.cloudera.com/> > > > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > > > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > > > Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> > > > ------------------------------ > > > ------------------------------ > > > > > > > > > -- > > *István Tóth* | Sr. Staff Software Engineer > > *Email*: st...@cloudera.com > > cloudera.com <https://www.cloudera.com> > > [image: Cloudera] <https://www.cloudera.com/> > > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > Cloudera > > on LinkedIn] <https://www.linkedin.com/company/cloudera> > > ------------------------------ > > ------------------------------ > > > -- *István Tóth* | Sr. Staff Software Engineer *Email*: st...@cloudera.com cloudera.com <https://www.cloudera.com> [image: Cloudera] <https://www.cloudera.com/> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> ------------------------------ ------------------------------
