These CVE's do no affect ZooKeeper, both is related to Hikari which is not used at all by ZooKeeper. (It's a JDBC connection pooling library) https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <[email protected]> wrote: > Hi Enrico! > > Looks like owasp is reporting 2 new issues with jackson-databind-2.9.9.3: > > > https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html > > If I’m not mistaken. > > Andor > > > > > On 2019. Sep 20., at 22:18, Enrico Olivelli <[email protected]> wrote: > > > > This is a bugfix release candidate for 3.5.6. > > > > It fixes 27 issues, including upgrade of third party libraries, > > TTL Node APIs for C API, support for PCKS12 Keystores, and better > procedure > > for the upgrade of servers from 3.4 to 3.5. > > > > The full release notes is available at: > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243 > > > > *** Please download, test and vote by September 23th 2019, 23:59 UTC+0. > *** > > > > Source files: > > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1 > > > > Maven staging repo: > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1041/ > > > > The release candidate tag in git to be voted upon: release-3.5.6-rc1 > > https://github.com/apache/zookeeper/tree/release-3.5.6-rc1 > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > > https://www.apache.org/dist/zookeeper/KEYS > > > > Should we release this candidate? > > > > Enrico Olivelli > >
