Please vote .
> On Jun 5, 2026, at 10:54, Yash Mayya <[email protected]> wrote:
>
> Hi Xiang,
>
> I have completed all the standard release verifications for Apache Pinot
> 1.5.1 RC1, and everything looks good.
>
> My vote is +1 (binding).
>
> Thanks,
> Yash Mayya
>
>
> On Thu, Jun 4, 2026 at 6:06 PM Xiang Fu <[email protected]
> <mailto:[email protected]>> wrote:
>> Hi all,
>>
>> This is a call for a vote to release Apache Pinot 1.5.1 RC1.
>>
>> 1.5.1 is a security patch release cut from the 1.5.0 tag. RC1 supersedes the
>> withdrawn RC0 and additionally closes the Jetty, BouncyCastle, and
>> commons-configuration2 CVEs. A scan of the RC1 binary distribution reports
>> 0 critical and 0 high findings.
>>
>> Security fixes (vs 1.5.0):
>>
>> - netty 4.1.122.Final -> 4.1.134.Final
>> (CVE-2025-55163, CVE-2025-59419, CVE-2026-33870, CVE-2026-33871,
>> CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587)
>> - log4j-core 2.25.3 -> 2.26.0
>> (CVE-2026-34478, CVE-2026-34479, CVE-2026-34480, CVE-2026-34481)
>> - async-http-client 3.0.7 -> 3.0.10 (CVE-2026-45300)
>> - httpclient5 5.6 -> 5.6.1 (CVE-2026-40542)
>> - Pulsar 4.0.9 -> 4.0.10, which pulls BouncyCastle
>> bcprov/bcpkix/bcutil 1.84
>> (CVE-2026-5598 [High], CVE-2026-0636, CVE-2026-5588)
>> - commons-configuration2 2.13.0 -> 2.15.0 (CVE-2026-45205)
>> - CVE-2026-2332 (Jetty request smuggling): the only vulnerable Jetty was
>> Hadoop's embedded HttpServer2, which Pinot never starts. It is now
>> excluded from the Hadoop dependencies and stripped from the shaded jars
>> (apache/pinot#18659), so it no longer ships in the distribution. Jetty
>> itself remains on 9.4.x (EOL, no patch available), but the artifact is
>> gone from the build.
>>
>> The release candidate:
>> https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-1.5.1-rc1/
>>
>> Git tag:
>> https://github.com/apache/pinot/releases/tag/release-1.5.1-rc1
>> Git hash: 020ff0d053 (tag release-1.5.1-rc1)
>>
>> The Nexus staging repository:
>> https://repository.apache.org/content/repositories/orgapachepinot-1082
>>
>> Keys to verify the signature of the release artifacts:
>> https://dist.apache.org/repos/dist/release/pinot/KEYS
>>
>> Release notes / diff vs 1.5.0:
>> https://github.com/apache/pinot/releases/tag/release-1.5.1
>>
>> Documentation on how to verify a release candidate:
>> https://cwiki.apache.org/confluence/display/PINOT/Validating+a+release+candidate
>>
>> The vote will be open for at least 72 hours or until the necessary number
>> of votes are reached.
>>
>> Please vote accordingly:
>> [ ] +1 approve
>> [ ] +0 no opinion
>> [ ] -1 disapprove (and the reason why)
>>
>> Here is my vote:
>> +1 (binding)
>>
>> Thanks,
>> Xiang Fu