Re: [VOTE] Apache Pinot 1.5.1 RC0

Tue, 02 Jun 2026 15:45:55 -0700 

Thanks Xiang! I've verified both the binary and source distributions
locally, and everything looks good.

+1 (binding)

On Mon, Jun 1, 2026 at 3:47 PM Xiang Fu <[email protected]> wrote:

> Hi all,
>
> This is a call for a vote to release Apache Pinot 1.5.1 RC0.
>
> 1.5.1 is a security patch release cut from the 1.5.0 tag. It bumps four
> dependencies to close the critical/high CVEs reported in
> https://github.com/apache/pinot/issues/18593:
>
>   - netty                4.1.122.Final -> 4.1.134.Final
>     (CVE-2025-55163, CVE-2025-59419, CVE-2026-33870, CVE-2026-33871,
>      CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587)
>   - log4j-core           2.25.3 -> 2.26.0
>     (CVE-2026-34478, CVE-2026-34479, CVE-2026-34480, CVE-2026-34481)
>   - async-http-client    3.0.7 -> 3.0.10   (CVE-2026-45300)
>   - httpclient5          5.6 -> 5.6.1       (CVE-2026-40542)
>
> Known exception: the Jetty CVE-2026-2332 (request smuggling) is NOT
> addressed in this release. The Jetty 9.4.x branch is end-of-life with no
> patch available (advisory GHSA-355h-qmc2-wpwf; only Jetty 12.0.33/12.1.7
> are fixed). Jetty here is a managed dependency for the optional
> Hadoop/Spark/Pulsar plugins only -- Pinot's own HTTP layer uses
> Grizzly/Jersey -- and closing the CVE requires a Jetty 9->12 migration,
> which is out of scope for a patch release.
>
> The release candidate:
> https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-1.5.1-rc0/
>
> Git tag:
> https://github.com/apache/pinot/releases/tag/release-1.5.1-rc0
> Git hash: 01e10f352b (tag release-1.5.1-rc0)
>
> The Nexus staging repository:
> https://repository.apache.org/content/repositories/orgapachepinot-1080
>
> Keys to verify the signature of the release artifacts:
> https://dist.apache.org/repos/dist/release/pinot/KEYS
>
> Release notes / diff vs 1.5.0:
> https://github.com/apache/pinot/releases/tag/release-1.5.1
>
> Documentation on how to verify a release candidate:
>
> https://cwiki.apache.org/confluence/display/PINOT/Validating+a+release+candidate
>
> The vote will be open for at least 72 hours or until the necessary number
> of votes are reached.
>
> Please vote accordingly:
> [ ] +1 approve
> [ ] +0 no opinion
> [ ] -1 disapprove (and the reason why)
>
> Thanks,
> Xiang Fu
>

Reply via email to