+1 (binding), thanks Xiang! El mar, 2 jun 2026 a las 2:35, Xiaotian Jiang (<[email protected]>) escribió:
> +1 > > On Mon, Jun 1, 2026 at 18:25 Tim Elgersma via dev <[email protected]> > wrote: > >> +1, this makes sense, thanks Xiang! >> >> Tim >> >> On Mon, Jun 1, 2026 at 3:47 PM Xiang Fu <[email protected]> wrote: >> >>> Hi all, >>> >>> This is a call for a vote to release Apache Pinot 1.5.1 RC0. >>> >>> 1.5.1 is a security patch release cut from the 1.5.0 tag. It bumps four >>> dependencies to close the critical/high CVEs reported in >>> https://github.com/apache/pinot/issues/18593: >>> >>> - netty 4.1.122.Final -> 4.1.134.Final >>> (CVE-2025-55163, CVE-2025-59419, CVE-2026-33870, CVE-2026-33871, >>> CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587) >>> - log4j-core 2.25.3 -> 2.26.0 >>> (CVE-2026-34478, CVE-2026-34479, CVE-2026-34480, CVE-2026-34481) >>> - async-http-client 3.0.7 -> 3.0.10 (CVE-2026-45300) >>> - httpclient5 5.6 -> 5.6.1 (CVE-2026-40542) >>> >>> Known exception: the Jetty CVE-2026-2332 (request smuggling) is NOT >>> addressed in this release. The Jetty 9.4.x branch is end-of-life with no >>> patch available (advisory GHSA-355h-qmc2-wpwf; only Jetty 12.0.33/12.1.7 >>> are fixed). Jetty here is a managed dependency for the optional >>> Hadoop/Spark/Pulsar plugins only -- Pinot's own HTTP layer uses >>> Grizzly/Jersey -- and closing the CVE requires a Jetty 9->12 migration, >>> which is out of scope for a patch release. >>> >>> The release candidate: >>> https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-1.5.1-rc0/ >>> >>> Git tag: >>> https://github.com/apache/pinot/releases/tag/release-1.5.1-rc0 >>> Git hash: 01e10f352b (tag release-1.5.1-rc0) >>> >>> The Nexus staging repository: >>> https://repository.apache.org/content/repositories/orgapachepinot-1080 >>> >>> Keys to verify the signature of the release artifacts: >>> https://dist.apache.org/repos/dist/release/pinot/KEYS >>> >>> Release notes / diff vs 1.5.0: >>> https://github.com/apache/pinot/releases/tag/release-1.5.1 >>> >>> Documentation on how to verify a release candidate: >>> >>> https://cwiki.apache.org/confluence/display/PINOT/Validating+a+release+candidate >>> >>> The vote will be open for at least 72 hours or until the necessary number >>> of votes are reached. >>> >>> Please vote accordingly: >>> [ ] +1 approve >>> [ ] +0 no opinion >>> [ ] -1 disapprove (and the reason why) >>> >>> Thanks, >>> Xiang Fu >>> >>
