I have triggered Pulsar CI builds for the pulsar-ci [1] and pulsar-ci-flaky [2] workflows for `branch-3.0` and `branch-3.3`. I'll proceed with the release process [3] for 3.0.7 and 3.3.2 once there are successful build results from the Pulsar CI builds.
The release vote will be handled in an expedited manner on the dev mailing list, in a vote thread. Due to the criticality of the security vulnerability, I'm suggesting that we proceed with releasing the artifacts once there are 3 positive binding votes following the ASF Release Policy, with an one hour minimum voting period. The 72 hour minimum voting period in the ASF Release Policy is not a mandatory release approval requirement [4]. -Lari 1 - https://github.com/apache/pulsar/actions/workflows/pulsar-ci.yaml 2 - https://github.com/apache/pulsar/actions/workflows/pulsar-ci-flaky.yaml 3 - https://pulsar.apache.org/contribute/release-process/ 4 - https://www.apache.org/legal/release-policy.html#release-approval On 2024/10/03 20:58:43 Lari Hotari wrote: > Dear Pulsar Community, > > There's a critical 9.3/10 level RCE vulnerability in Avro Java SDK > <1.11.4, CVE-2024-47561. > More details can be found in these resources: > - https://github.com/advisories/GHSA-r7pg-v2c8-mfg3 > - https://nvd.nist.gov/vuln/detail/CVE-2024-47561 > - https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x > > In Pulsar, there's a PR under review to upgrade Avro to 1.11.4: > https://github.com/apache/pulsar/pull/23394 > > I suggest that we start preparations for expedited Pulsar 3.0.7 and > 3.3.2 releases due to this critical vulnerability. I can volunteer to > handle these releases as a release manager. > > Further coordination of these releases and discussions about possible > mitigations will be on the dev@pulsar.apache.org mailing list. I have > also sent this message to the us...@pulsar.apache.org list. Mailing > list archives and joining instructions for the dev mailing list can be > found at https://pulsar.apache.org/contact/. > > -Lari >
