Only blocker left for 3.5.7 is ZOOKEEPER-3701, patch available here: https://github.com/apache/zookeeper/pull/1233
I'll wait another 0.5-1 day if anyone wants to take a look at it. Then I'll commit and start the 3.5.7 release process. Thanks, Norbert On Thu, Jan 23, 2020 at 11:29 AM Norbert Kalmar <[email protected]> wrote: > The patch fixed the CVE warning > https://builds.apache.org/job/zookeeper-master-maven-owasp/339/ > > Norbert > > On Thu, Jan 23, 2020 at 11:07 AM Norbert Kalmar <[email protected]> > wrote: > >> Thanks Patrick, I'll review and preferably commit your patch, which >> should negate the CVE warning. >> >> Regards, >> Norbert >> >> On Wed, Jan 22, 2020 at 5:31 PM Patrick Hunt <[email protected]> wrote: >> >>> owasp is failing on branch-3.5, >>> [ERROR] jackson-databind-2.9.10.1.jar: CVE-2019-20330 >>> >>> seems the same as: >>> https://issues.apache.org/jira/browse/ZOOKEEPER-3699 >>> >>> Patrick >>> >>> On Wed, Jan 22, 2020 at 5:12 AM Ivan Kelly <[email protected]> wrote: >>> >>> > > Would you have time for a quick fix ? >>> > >>> > The measures to avoid the problem are listed at the end of the JIRA >>> > description. I can't submit a PR until I get permission from my >>> > company legal to push to ZK. >>> > >>> > -Ivan >>> > >>> >>
