Hi all, The vote to release Apache Pinot 1.5.1 RC1 has passed with 3 binding +1 votes and no -1 votes. Thanks to everyone who voted and verified the release.
Binding +1 (PMC): - Yash - Xiaotian - Gonzalo No 0 or -1 votes. I will now proceed to finalize the release: promote the artifacts to the release area, release the Nexus staging repository, push the release tag, and publish the release notes. An [ANNOUNCE] will follow once the artifacts have propagated to the mirrors and Maven Central. Thanks, Xiang Fu On Tue, Jun 30, 2026 at 2:11 AM Gonzalo Ortiz Jaureguizar < [email protected]> wrote: > +1 (binding) > > El mar, 30 jun 2026 a las 0:22, Xiaotian Jiang (<[email protected]>) > escribió: > >> +1 >> >> On Thu, Jun 4, 2026 at 6:06 PM Xiang Fu <[email protected]> wrote: >> >>> Hi all, >>> >>> This is a call for a vote to release Apache Pinot 1.5.1 RC1. >>> >>> 1.5.1 is a security patch release cut from the 1.5.0 tag. RC1 supersedes >>> the >>> withdrawn RC0 and additionally closes the Jetty, BouncyCastle, and >>> commons-configuration2 CVEs. A scan of the RC1 binary distribution >>> reports >>> 0 critical and 0 high findings. >>> >>> Security fixes (vs 1.5.0): >>> >>> - netty 4.1.122.Final -> 4.1.134.Final >>> (CVE-2025-55163, CVE-2025-59419, CVE-2026-33870, CVE-2026-33871, >>> CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587) >>> - log4j-core 2.25.3 -> 2.26.0 >>> (CVE-2026-34478, CVE-2026-34479, CVE-2026-34480, CVE-2026-34481) >>> - async-http-client 3.0.7 -> 3.0.10 (CVE-2026-45300) >>> - httpclient5 5.6 -> 5.6.1 (CVE-2026-40542) >>> - Pulsar 4.0.9 -> 4.0.10, which pulls BouncyCastle >>> bcprov/bcpkix/bcutil 1.84 >>> (CVE-2026-5598 [High], CVE-2026-0636, CVE-2026-5588) >>> - commons-configuration2 2.13.0 -> 2.15.0 (CVE-2026-45205) >>> - CVE-2026-2332 (Jetty request smuggling): the only vulnerable Jetty >>> was >>> Hadoop's embedded HttpServer2, which Pinot never starts. It is now >>> excluded from the Hadoop dependencies and stripped from the shaded >>> jars >>> (apache/pinot#18659), so it no longer ships in the distribution. >>> Jetty >>> itself remains on 9.4.x (EOL, no patch available), but the artifact >>> is >>> gone from the build. >>> >>> The release candidate: >>> https://dist.apache.org/repos/dist/dev/pinot/apache-pinot-1.5.1-rc1/ >>> >>> Git tag: >>> https://github.com/apache/pinot/releases/tag/release-1.5.1-rc1 >>> Git hash: 020ff0d053 (tag release-1.5.1-rc1) >>> >>> The Nexus staging repository: >>> https://repository.apache.org/content/repositories/orgapachepinot-1082 >>> >>> Keys to verify the signature of the release artifacts: >>> https://dist.apache.org/repos/dist/release/pinot/KEYS >>> >>> Release notes / diff vs 1.5.0: >>> https://github.com/apache/pinot/releases/tag/release-1.5.1 >>> >>> Documentation on how to verify a release candidate: >>> >>> https://cwiki.apache.org/confluence/display/PINOT/Validating+a+release+candidate >>> >>> The vote will be open for at least 72 hours or until the necessary number >>> of votes are reached. >>> >>> Please vote accordingly: >>> [ ] +1 approve >>> [ ] +0 no opinion >>> [ ] -1 disapprove (and the reason why) >>> >>> Here is my vote: >>> +1 (binding) >>> >>> Thanks, >>> Xiang Fu >>> >>
