Sorry I was busy with company work and didn’t have much time for ZooKeeper. I was not sure about whether I have to -1 because of those new CVEs, but if we can upgrade relatively quickly (bumping version numbers), then I think we should do it even if the problem doesn’t affect us directly. (owasp build will be red anyways)
Enrico, how much effort would be to upgrade Jackson libs again? Sorry about that. Andor > On 2019. Sep 26., at 17:38, Patrick Hunt <[email protected]> wrote: > > On Thu, Sep 26, 2019 at 3:50 AM Enrico Olivelli <[email protected]> wrote: > >> Hi folks, >> all the community is invited to test this release candidate >> >> and we need at least three binding VOTEs >> >> > After seeing Andor's feedback I was waiting for the new RC to be cut. (also > FYI Strata this week) Given we release relatively infrequently it seemed a > better idea to spend an additional few days knocking this one down so it's > not an open question going forward. If folks disagree please state as such > as I'd rather not spend the time reviewing again just to have to review > another RC. > > Patrick > > > >> Best regards >> Enrico >> >> Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli < >> [email protected]> ha scritto: >> >>> Links to the details: >>> https://github.com/FasterXML/jackson-databind/issues/2449 >>> https://github.com/FasterXML/jackson-databind/issues/2449 >>> >>> @Andor Molnár <[email protected]> is it a -1 from your side ? >>> >>> The rush for 3.5.6 is more about delivering a version of ZK without the >>> security issues reported for Jackson Databind, so it may make sense to >>> cancel this vote (but I am not doing it actually) >>> Btw we can't follow the fast pace of DataBind and CVEs >>> >>> This is interesting >>> >>> >> https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 >>> >>> >>> As we are not affected but the issues above I suggest to move forward >> with >>> the current tag >>> >>> >>> >>> Enrico >>> >>> Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar >>> <[email protected]> ha scritto: >>> >>>> These CVE's do no affect ZooKeeper, both is related to Hikari which is >> not >>>> used at all by ZooKeeper. (It's a JDBC connection pooling library) >>>> >>>> >> https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html >>>> >>>> >>>> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <[email protected]> wrote: >>>> >>>>> Hi Enrico! >>>>> >>>>> Looks like owasp is reporting 2 new issues with >>>> jackson-databind-2.9.9.3: >>>>> >>>>> >>>>> >>>> >> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html >>>>> >>>>> If I’m not mistaken. >>>>> >>>>> Andor >>>>> >>>>> >>>>> >>>>>> On 2019. Sep 20., at 22:18, Enrico Olivelli <[email protected]> >>>> wrote: >>>>>> >>>>>> This is a bugfix release candidate for 3.5.6. >>>>>> >>>>>> It fixes 27 issues, including upgrade of third party libraries, >>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better >>>>> procedure >>>>>> for the upgrade of servers from 3.4 to 3.5. >>>>>> >>>>>> The full release notes is available at: >>>>>> >>>>>> >>>>> >>>> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243 >>>>>> >>>>>> *** Please download, test and vote by September 23th 2019, 23:59 >>>> UTC+0. >>>>> *** >>>>>> >>>>>> Source files: >>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1 >>>>>> >>>>>> Maven staging repo: >>>>>> >>>>> >>>> >> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/ >>>>>> >>>>>> The release candidate tag in git to be voted upon: release-3.5.6-rc1 >>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc1 >>>>>> >>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the >> release: >>>>>> https://www.apache.org/dist/zookeeper/KEYS >>>>>> >>>>>> Should we release this candidate? >>>>>> >>>>>> Enrico Olivelli >>>>> >>>>> >>>> >>> >>
