Hi all, I'm cancelling the vote on Apache Pinot 1.5.1 RC0.
After cutting RC0, a scan surfaced additional CVEs that we can cleanly fix, so rather than ship 1.5.1 with known gaps and immediately follow up, I'm rolling them into RC1: - CVE-2026-2332 (Jetty request smuggling): the vulnerable Jetty is only Hadoop's embedded HttpServer2 (which Pinot never starts). RC1 excludes / strips it from the Hadoop deps and the shaded jars (apache/pinot#18659 <https://github.com/apache/pinot/pull/18659>), so it no longer ships. (Jetty itself stays on 9.4.x; 9.4 is EOL with no patch, but the artifact is now gone from the distribution.) - CVE-2026-5598 (High), CVE-2026-0636, CVE-2026-5588 (BouncyCastle): Pulsar bundles BouncyCastle via org.apache.pulsar:bouncy-castle-bc. Bumping Pulsar 4.0.9 -> 4.0.10 pulls bcprov/bcpkix/bcutil 1.84. - CVE-2026-45205 (commons-configuration2): 2.13.0 -> 2.15.0. With these, a clean scan of the RC1 binary distribution shows 0 critical and 0 high findings. RC0 has been withdrawn: the staging repository has been dropped, the dev-dist artifacts (apache-pinot-1.5.1-rc0) removed, and the rc0 tag deleted. A [VOTE] for 1.5.1 RC1 will follow shortly. Apologies for the churn, and thanks for your patience. Thanks, Xiang Fu On Tue, Jun 2, 2026 at 3:45 PM Yash Mayya <[email protected]> wrote: > Thanks Xiang! I've verified both the binary and source distributions > locally, and everything looks good. > > +1 (binding) > > On Mon, Jun 1, 2026 at 3:47 PM Xiang Fu <[email protected]> wrote: > >> Hi all, >> >> This is a call for a vote to release Apache Pinot 1.5.1 RC0. >> >> 1.5.1 is a security patch release cut from the 1.5.0 tag. It bumps four >> dependencies to close the critical/high CVEs reported in >> https://github.com/apache/pinot/issues/18593: >> >> - netty 4.1.122.Final -> 4.1.134.Final >> (CVE-2025-55163, CVE-2025-59419, CVE-2026-33870, CVE-2026-33871, >> CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587) >> - log4j-core 2.25.3 -> 2.26.0 >> (CVE-2026-34478, CVE-2026-34479, CVE-2026-34480, CVE-2026-34481) >> - async-http-client 3.0.7 -> 3.0.10 (CVE-2026-45300) >> - httpclient5 5.6 -> 5.6.1 (CVE-2026-40542) >> >> Known exception: the Jetty CVE-2026-2332 (request smuggling) is NOT >> addressed in this release. The Jetty 9.4.x branch is end-of-life with no >> patch available (advisory GHSA-355h-qmc2-wpwf; only Jetty 12.0.33/12.1.7 >> are fixed). Jetty here is a managed dependency for the optional >> Hadoop/Spark/Pulsar plugins only -- Pinot's own HTTP layer uses >> Grizzly/Jersey -- and closing the CVE requires a Jetty 9->12 migration, >> which is out of scope for a patch release. >> >> The release candidate: >> https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-1.5.1-rc0/ >> >> Git tag: >> https://github.com/apache/pinot/releases/tag/release-1.5.1-rc0 >> Git hash: 01e10f352b (tag release-1.5.1-rc0) >> >> The Nexus staging repository: >> https://repository.apache.org/content/repositories/orgapachepinot-1080 >> >> Keys to verify the signature of the release artifacts: >> https://dist.apache.org/repos/dist/release/pinot/KEYS >> >> Release notes / diff vs 1.5.0: >> https://github.com/apache/pinot/releases/tag/release-1.5.1 >> >> Documentation on how to verify a release candidate: >> >> https://cwiki.apache.org/confluence/display/PINOT/Validating+a+release+candidate >> >> The vote will be open for at least 72 hours or until the necessary number >> of votes are reached. >> >> Please vote accordingly: >> [ ] +1 approve >> [ ] +0 no opinion >> [ ] -1 disapprove (and the reason why) >> >> Thanks, >> Xiang Fu >> >
