Hi runzhiwang, I checked the vulnerabilities. Both vulnerabilities are related to Http so that Ratis is not affected as mentioned by Marton. I agree that we can continue the release. Thanks a lot.
Tsz-Wo On Tue, Mar 23, 2021 at 10:52 AM runzhiwang <[email protected]> wrote: > > As far as I understood Ratis/Ozone are not affected by these > > vulnerabilities. > > > I am +1 to create new ratis-thirdparty release, but IMHO we don't need > > to cancel the current 2.0.0 vote, we can close it and release the > > artifacts > > @Tsz-wo What do you think ? > > Arpit Agarwal <[email protected]> 于2021年3月23日周二 上午5:58写道: > > > Can we conclude this vote now? > > > > > On Mar 22, 2021, at 7:38 AM, Elek, Marton <[email protected]> wrote: > > > > > > > > > > > > On 3/20/21 3:48 AM, Tsz Wo Sze wrote: > > >> In https://issues.apache.org/jira/browse/RATIS-1342 , we have bumped > > Netty > > >> version to 4.1.60.Final in ratis-thirdparty due to the Netty > > >> vulnerabilities. > > >> - > > https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2 > > >> - > > https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj > > >> Should we also have a ratis-thridparty release? > > >> > > > > > > As far as I understood Ratis/Ozone are not affected by these > > vulnerabilities. > > > > > > I am +1 to create new ratis-thirdparty release, but IMHO we don't need > > to cancel the current 2.0.0 vote, we can close it and release the > > artifacts... > > > > > > Marton > > > > >
