Hi Xiang, I have completed all the standard release verifications for Apache Pinot 1.5.1 RC1, and everything looks good.
My vote is +1 (binding). Thanks, Yash Mayya On Thu, Jun 4, 2026 at 6:06 PM Xiang Fu <[email protected]> wrote: > Hi all, > > This is a call for a vote to release Apache Pinot 1.5.1 RC1. > > 1.5.1 is a security patch release cut from the 1.5.0 tag. RC1 supersedes > the > withdrawn RC0 and additionally closes the Jetty, BouncyCastle, and > commons-configuration2 CVEs. A scan of the RC1 binary distribution reports > 0 critical and 0 high findings. > > Security fixes (vs 1.5.0): > > - netty 4.1.122.Final -> 4.1.134.Final > (CVE-2025-55163, CVE-2025-59419, CVE-2026-33870, CVE-2026-33871, > CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587) > - log4j-core 2.25.3 -> 2.26.0 > (CVE-2026-34478, CVE-2026-34479, CVE-2026-34480, CVE-2026-34481) > - async-http-client 3.0.7 -> 3.0.10 (CVE-2026-45300) > - httpclient5 5.6 -> 5.6.1 (CVE-2026-40542) > - Pulsar 4.0.9 -> 4.0.10, which pulls BouncyCastle > bcprov/bcpkix/bcutil 1.84 > (CVE-2026-5598 [High], CVE-2026-0636, CVE-2026-5588) > - commons-configuration2 2.13.0 -> 2.15.0 (CVE-2026-45205) > - CVE-2026-2332 (Jetty request smuggling): the only vulnerable Jetty was > Hadoop's embedded HttpServer2, which Pinot never starts. It is now > excluded from the Hadoop dependencies and stripped from the shaded jars > (apache/pinot#18659), so it no longer ships in the distribution. Jetty > itself remains on 9.4.x (EOL, no patch available), but the artifact is > gone from the build. > > The release candidate: > https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-1.5.1-rc1/ > > Git tag: > https://github.com/apache/pinot/releases/tag/release-1.5.1-rc1 > Git hash: 020ff0d053 (tag release-1.5.1-rc1) > > The Nexus staging repository: > https://repository.apache.org/content/repositories/orgapachepinot-1082 > > Keys to verify the signature of the release artifacts: > https://dist.apache.org/repos/dist/release/pinot/KEYS > > Release notes / diff vs 1.5.0: > https://github.com/apache/pinot/releases/tag/release-1.5.1 > > Documentation on how to verify a release candidate: > > https://cwiki.apache.org/confluence/display/PINOT/Validating+a+release+candidate > > The vote will be open for at least 72 hours or until the necessary number > of votes are reached. > > Please vote accordingly: > [ ] +1 approve > [ ] +0 no opinion > [ ] -1 disapprove (and the reason why) > > Here is my vote: > +1 (binding) > > Thanks, > Xiang Fu >
