Hi all,

The vote to release Apache Pinot 1.5.1 RC1 has passed with 3 binding +1
votes
and no -1 votes. Thanks to everyone who voted and verified the release.

Binding +1 (PMC):
  - Yash
  - Xiaotian
  - Gonzalo

No 0 or -1 votes.

I will now proceed to finalize the release: promote the artifacts to the
release area, release the Nexus staging repository, push the release tag,
and publish the release notes. An [ANNOUNCE] will follow once the artifacts
have propagated to the mirrors and Maven Central.

Thanks,

Xiang Fu

On Tue, Jun 30, 2026 at 2:11 AM Gonzalo Ortiz Jaureguizar <
[email protected]> wrote:

> +1 (binding)
>
> El mar, 30 jun 2026 a las 0:22, Xiaotian Jiang (<[email protected]>)
> escribió:
>
>> +1
>>
>> On Thu, Jun 4, 2026 at 6:06 PM Xiang Fu <[email protected]> wrote:
>>
>>> Hi all,
>>>
>>> This is a call for a vote to release Apache Pinot 1.5.1 RC1.
>>>
>>> 1.5.1 is a security patch release cut from the 1.5.0 tag. RC1 supersedes
>>> the
>>> withdrawn RC0 and additionally closes the Jetty, BouncyCastle, and
>>> commons-configuration2 CVEs. A scan of the RC1 binary distribution
>>> reports
>>> 0 critical and 0 high findings.
>>>
>>> Security fixes (vs 1.5.0):
>>>
>>>   - netty                4.1.122.Final -> 4.1.134.Final
>>>     (CVE-2025-55163, CVE-2025-59419, CVE-2026-33870, CVE-2026-33871,
>>>      CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587)
>>>   - log4j-core           2.25.3 -> 2.26.0
>>>     (CVE-2026-34478, CVE-2026-34479, CVE-2026-34480, CVE-2026-34481)
>>>   - async-http-client    3.0.7 -> 3.0.10   (CVE-2026-45300)
>>>   - httpclient5          5.6 -> 5.6.1       (CVE-2026-40542)
>>>   - Pulsar               4.0.9 -> 4.0.10, which pulls BouncyCastle
>>>     bcprov/bcpkix/bcutil 1.84
>>>     (CVE-2026-5598 [High], CVE-2026-0636, CVE-2026-5588)
>>>   - commons-configuration2  2.13.0 -> 2.15.0  (CVE-2026-45205)
>>>   - CVE-2026-2332 (Jetty request smuggling): the only vulnerable Jetty
>>> was
>>>     Hadoop's embedded HttpServer2, which Pinot never starts. It is now
>>>     excluded from the Hadoop dependencies and stripped from the shaded
>>> jars
>>>     (apache/pinot#18659), so it no longer ships in the distribution.
>>> Jetty
>>>     itself remains on 9.4.x (EOL, no patch available), but the artifact
>>> is
>>>     gone from the build.
>>>
>>> The release candidate:
>>> https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-1.5.1-rc1/
>>>
>>> Git tag:
>>> https://github.com/apache/pinot/releases/tag/release-1.5.1-rc1
>>> Git hash: 020ff0d053 (tag release-1.5.1-rc1)
>>>
>>> The Nexus staging repository:
>>> https://repository.apache.org/content/repositories/orgapachepinot-1082
>>>
>>> Keys to verify the signature of the release artifacts:
>>> https://dist.apache.org/repos/dist/release/pinot/KEYS
>>>
>>> Release notes / diff vs 1.5.0:
>>> https://github.com/apache/pinot/releases/tag/release-1.5.1
>>>
>>> Documentation on how to verify a release candidate:
>>>
>>> https://cwiki.apache.org/confluence/display/PINOT/Validating+a+release+candidate
>>>
>>> The vote will be open for at least 72 hours or until the necessary number
>>> of votes are reached.
>>>
>>> Please vote accordingly:
>>> [ ] +1 approve
>>> [ ] +0 no opinion
>>> [ ] -1 disapprove (and the reason why)
>>>
>>> Here is my vote:
>>> +1 (binding)
>>>
>>> Thanks,
>>> Xiang Fu
>>>
>>

Reply via email to