x-posted to dev -----Ursprüngliche Nachricht----- From: James E. King III Sent: Wednesday, March 13, 2019 1:26 PM To: [email protected] ; security Subject: [VOTE] [RESULT] Apache Thrift 0.9.3.1 Release Candidate
The vote has now closed. The results are: Binding Votes: +1 [4] (Randy, Jens, Roger, Jim) 0 [0] -1 [0] The vote is successful. Version 0.9.3.1 is released. I will move the official Apache Thrift release bits into the correct location. The maven central release made earlier in the year will remain as-is. I will also send an update to indicate CVE-2018-1320 is fixed in 0.9.3.1 in addition to 0.12.0. Thanks everyone! - Jim On Sat, Mar 9, 2019 at 10:58 AM James E. King III <[email protected]> wrote: > > All, > > The 0.9.3.1 release is a single patch to Java to backport the fix of > CVE-2018-1320 (documented in > https://issues.apache.org/jira/browse/THRIFT-4506) in 0.12.0 back to > 0.9.3 per community request. Since "make dist" was not possible on > the branch due to how stale the dependencies are, I manually applied > the patch to the 0.9.3 official source tarball instead. > > Note that 0.9.3.1 was already released to Maven Central per community > request in THRIFT-4506 and this release work here represents what > should have happened before the release to Maven Central. > > Note that since this is a fix only to Java, no other external packages > for other languages will be updated on other sites. > > Therefore, I propose that we accept the following release candidate as > the official Apache Thrift 0.9.3.1 release: > > > https://dist.apache.org/repos/dist/dev/thrift/0.9.3.1-rc0/thrift-0.9.3.1.tar.gz > > The release candidate was created from the 0.9.3.1 branch and can be > cloned using: > > git clone -b 0.9.3.1 https://github.com/apache/thrift.git > > The release candidates GPG signature can be found at: > > > https://dist.apache.org/repos/dist/dev/thrift/0.9.3.1-rc0/thrift-0.9.3.1.tar.gz.asc > > The release candidates checksums are: > > md5: 8bb75fe80db2591c5e814ef377e2715b > sha1: f787ceb100555eaa19cd20112ce5a703560efc5a > sha256: > 8e5f59285f43bdbb30825e731d946dab49686b003f141b000539cd3eaa3f8aa2 > > There is no windows compiler with this release, as it is just a patch for > Java. > > The CHANGES list for this release is available at: > > https://github.com/apache/thrift/blob/0.9.3.1/CHANGES > > Please download, verify sig/sum, install and test the libraries and > languages of your choice. Due to the age of this branch, it will not > pass any CI builds. > > This vote will close in 72 hours on 2019-03-12 20:00 UTC > > [ ] +1 Release this as Apache Thrift 0.9.3.1 > [ ] +0 > [ ] -1 Do not release this as Apache Thrift 0.9.3.1 because...
