Github just bought semmle and is offering "automated security fixes" - should we turn this github feature on and give it a try?
https://help.github.com/en/articles/configuring-automated-security-fixes Patrick On Thu, Sep 26, 2019 at 2:32 PM Enrico Olivelli <[email protected]> wrote: > I am cancelling the vote now. > > There is already a pending PR for the upgrade > > I have approved it, it needs a second +1 > > Please take a look and merge > > > Enrico > > Il gio 26 set 2019, 20:16 Andor Molnar <[email protected]> ha scritto: > > > Sorry I was busy with company work and didn’t have much time for > > ZooKeeper. I was not sure about whether I have to -1 because of those new > > CVEs, but if we can upgrade relatively quickly (bumping version numbers), > > then I think we should do it even if the problem doesn’t affect us > > directly. (owasp build will be red anyways) > > > > Enrico, how much effort would be to upgrade Jackson libs again? > > > > Sorry about that. > > > > Andor > > > > > > > > > > > On 2019. Sep 26., at 17:38, Patrick Hunt <[email protected]> wrote: > > > > > > On Thu, Sep 26, 2019 at 3:50 AM Enrico Olivelli <[email protected]> > > wrote: > > > > > >> Hi folks, > > >> all the community is invited to test this release candidate > > >> > > >> and we need at least three binding VOTEs > > >> > > >> > > > After seeing Andor's feedback I was waiting for the new RC to be cut. > > (also > > > FYI Strata this week) Given we release relatively infrequently it > seemed > > a > > > better idea to spend an additional few days knocking this one down so > > it's > > > not an open question going forward. If folks disagree please state as > > such > > > as I'd rather not spend the time reviewing again just to have to review > > > another RC. > > > > > > Patrick > > > > > > > > > > > >> Best regards > > >> Enrico > > >> > > >> Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli < > > >> [email protected]> ha scritto: > > >> > > >>> Links to the details: > > >>> https://github.com/FasterXML/jackson-databind/issues/2449 > > >>> https://github.com/FasterXML/jackson-databind/issues/2449 > > >>> > > >>> @Andor Molnár <[email protected]> is it a -1 from your side ? > > >>> > > >>> The rush for 3.5.6 is more about delivering a version of ZK without > the > > >>> security issues reported for Jackson Databind, so it may make sense > to > > >>> cancel this vote (but I am not doing it actually) > > >>> Btw we can't follow the fast pace of DataBind and CVEs > > >>> > > >>> This is interesting > > >>> > > >>> > > >> > > > https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 > > >>> > > >>> > > >>> As we are not affected but the issues above I suggest to move forward > > >> with > > >>> the current tag > > >>> > > >>> > > >>> > > >>> Enrico > > >>> > > >>> Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar > > >>> <[email protected]> ha scritto: > > >>> > > >>>> These CVE's do no affect ZooKeeper, both is related to Hikari which > is > > >> not > > >>>> used at all by ZooKeeper. (It's a JDBC connection pooling library) > > >>>> > > >>>> > > >> > > > https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html > > >>>> > > >>>> > > >>>> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <[email protected]> > > wrote: > > >>>> > > >>>>> Hi Enrico! > > >>>>> > > >>>>> Looks like owasp is reporting 2 new issues with > > >>>> jackson-databind-2.9.9.3: > > >>>>> > > >>>>> > > >>>>> > > >>>> > > >> > > > https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html > > >>>>> > > >>>>> If I’m not mistaken. > > >>>>> > > >>>>> Andor > > >>>>> > > >>>>> > > >>>>> > > >>>>>> On 2019. Sep 20., at 22:18, Enrico Olivelli <[email protected]> > > >>>> wrote: > > >>>>>> > > >>>>>> This is a bugfix release candidate for 3.5.6. > > >>>>>> > > >>>>>> It fixes 27 issues, including upgrade of third party libraries, > > >>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better > > >>>>> procedure > > >>>>>> for the upgrade of servers from 3.4 to 3.5. > > >>>>>> > > >>>>>> The full release notes is available at: > > >>>>>> > > >>>>>> > > >>>>> > > >>>> > > >> > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243 > > >>>>>> > > >>>>>> *** Please download, test and vote by September 23th 2019, 23:59 > > >>>> UTC+0. > > >>>>> *** > > >>>>>> > > >>>>>> Source files: > > >>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1 > > >>>>>> > > >>>>>> Maven staging repo: > > >>>>>> > > >>>>> > > >>>> > > >> > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1041/ > > >>>>>> > > >>>>>> The release candidate tag in git to be voted upon: > release-3.5.6-rc1 > > >>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc1 > > >>>>>> > > >>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the > > >> release: > > >>>>>> https://www.apache.org/dist/zookeeper/KEYS > > >>>>>> > > >>>>>> Should we release this candidate? > > >>>>>> > > >>>>>> Enrico Olivelli > > >>>>> > > >>>>> > > >>>> > > >>> > > >> > > > > >
