Jackson patch merged to master, 3.5 and 3.5.6 Regards, Norbert
On Thu, Sep 26, 2019 at 10:42 PM Patrick Hunt <[email protected]> wrote: > Github just bought semmle and is offering "automated security fixes" - > should we turn this github feature on and give it a try? > > https://help.github.com/en/articles/configuring-automated-security-fixes > > Patrick > > > On Thu, Sep 26, 2019 at 2:32 PM Enrico Olivelli <[email protected]> > wrote: > > > I am cancelling the vote now. > > > > There is already a pending PR for the upgrade > > > > I have approved it, it needs a second +1 > > > > Please take a look and merge > > > > > > Enrico > > > > Il gio 26 set 2019, 20:16 Andor Molnar <[email protected]> ha scritto: > > > > > Sorry I was busy with company work and didn’t have much time for > > > ZooKeeper. I was not sure about whether I have to -1 because of those > new > > > CVEs, but if we can upgrade relatively quickly (bumping version > numbers), > > > then I think we should do it even if the problem doesn’t affect us > > > directly. (owasp build will be red anyways) > > > > > > Enrico, how much effort would be to upgrade Jackson libs again? > > > > > > Sorry about that. > > > > > > Andor > > > > > > > > > > > > > > > > On 2019. Sep 26., at 17:38, Patrick Hunt <[email protected]> wrote: > > > > > > > > On Thu, Sep 26, 2019 at 3:50 AM Enrico Olivelli <[email protected] > > > > > wrote: > > > > > > > >> Hi folks, > > > >> all the community is invited to test this release candidate > > > >> > > > >> and we need at least three binding VOTEs > > > >> > > > >> > > > > After seeing Andor's feedback I was waiting for the new RC to be cut. > > > (also > > > > FYI Strata this week) Given we release relatively infrequently it > > seemed > > > a > > > > better idea to spend an additional few days knocking this one down so > > > it's > > > > not an open question going forward. If folks disagree please state as > > > such > > > > as I'd rather not spend the time reviewing again just to have to > review > > > > another RC. > > > > > > > > Patrick > > > > > > > > > > > > > > > >> Best regards > > > >> Enrico > > > >> > > > >> Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli < > > > >> [email protected]> ha scritto: > > > >> > > > >>> Links to the details: > > > >>> https://github.com/FasterXML/jackson-databind/issues/2449 > > > >>> https://github.com/FasterXML/jackson-databind/issues/2449 > > > >>> > > > >>> @Andor Molnár <[email protected]> is it a -1 from your side ? > > > >>> > > > >>> The rush for 3.5.6 is more about delivering a version of ZK without > > the > > > >>> security issues reported for Jackson Databind, so it may make sense > > to > > > >>> cancel this vote (but I am not doing it actually) > > > >>> Btw we can't follow the fast pace of DataBind and CVEs > > > >>> > > > >>> This is interesting > > > >>> > > > >>> > > > >> > > > > > > https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 > > > >>> > > > >>> > > > >>> As we are not affected but the issues above I suggest to move > forward > > > >> with > > > >>> the current tag > > > >>> > > > >>> > > > >>> > > > >>> Enrico > > > >>> > > > >>> Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar > > > >>> <[email protected]> ha scritto: > > > >>> > > > >>>> These CVE's do no affect ZooKeeper, both is related to Hikari > which > > is > > > >> not > > > >>>> used at all by ZooKeeper. (It's a JDBC connection pooling library) > > > >>>> > > > >>>> > > > >> > > > > > > https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html > > > >>>> > > > >>>> > > > >>>> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <[email protected]> > > > wrote: > > > >>>> > > > >>>>> Hi Enrico! > > > >>>>> > > > >>>>> Looks like owasp is reporting 2 new issues with > > > >>>> jackson-databind-2.9.9.3: > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>> > > > >> > > > > > > https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html > > > >>>>> > > > >>>>> If I’m not mistaken. > > > >>>>> > > > >>>>> Andor > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>>> On 2019. Sep 20., at 22:18, Enrico Olivelli < > [email protected]> > > > >>>> wrote: > > > >>>>>> > > > >>>>>> This is a bugfix release candidate for 3.5.6. > > > >>>>>> > > > >>>>>> It fixes 27 issues, including upgrade of third party libraries, > > > >>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and > better > > > >>>>> procedure > > > >>>>>> for the upgrade of servers from 3.4 to 3.5. > > > >>>>>> > > > >>>>>> The full release notes is available at: > > > >>>>>> > > > >>>>>> > > > >>>>> > > > >>>> > > > >> > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243 > > > >>>>>> > > > >>>>>> *** Please download, test and vote by September 23th 2019, 23:59 > > > >>>> UTC+0. > > > >>>>> *** > > > >>>>>> > > > >>>>>> Source files: > > > >>>>>> > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1 > > > >>>>>> > > > >>>>>> Maven staging repo: > > > >>>>>> > > > >>>>> > > > >>>> > > > >> > > > > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1041/ > > > >>>>>> > > > >>>>>> The release candidate tag in git to be voted upon: > > release-3.5.6-rc1 > > > >>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc1 > > > >>>>>> > > > >>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the > > > >> release: > > > >>>>>> https://www.apache.org/dist/zookeeper/KEYS > > > >>>>>> > > > >>>>>> Should we release this candidate? > > > >>>>>> > > > >>>>>> Enrico Olivelli > > > >>>>> > > > >>>>> > > > >>>> > > > >>> > > > >> > > > > > > > > >
