Would it be possible to get ZOOKEEPER-3638 included in 3.5.7 as well? The version of Jetty included in 3.5.6 breaks the admin server. We have been running a backport of 3638 (which just upgrades to a later version) successfully on 3.5.6 here without issue.
Thanks, Craig Condit ________________________________ From: Norbert Kalmar <[email protected]> Sent: Thursday, January 30, 2020 3:06 PM To: DevZooKeeper <[email protected]> Subject: [EXTERNAL] Re: 3.5.7 Hi all, Just a heads up. All patch that we wanted (as far as I'm aware, let me know if you miss something) for the 3.5.7 release has been committed to branch 3.5. Mainly this was: - ZOOKEEPER-3701 (split brain) - ZOOKEEPER-3482 (some SASL stuff) - ZOOKEEPER-3699 (fix CVE about Jackson) And a few other nice to haves (like ZOOKEEPER-1105 C client WARN msg fix) that also made it. I started testing the 3.5 branch and I will create a release branch soon (probably tomorrow). Regards, Norbert On Mon, Jan 27, 2020 at 11:30 AM Norbert Kalmar <[email protected]> wrote: > Only blocker left for 3.5.7 is ZOOKEEPER-3701, patch available here: > https://github.com/apache/zookeeper/pull/1233 > > I'll wait another 0.5-1 day if anyone wants to take a look at it. Then > I'll commit and start the 3.5.7 release process. > > Thanks, > Norbert > > On Thu, Jan 23, 2020 at 11:29 AM Norbert Kalmar <[email protected]> > wrote: > >> The patch fixed the CVE warning >> https://builds.apache.org/job/zookeeper-master-maven-owasp/339/ >> >> Norbert >> >> On Thu, Jan 23, 2020 at 11:07 AM Norbert Kalmar <[email protected]> >> wrote: >> >>> Thanks Patrick, I'll review and preferably commit your patch, which >>> should negate the CVE warning. >>> >>> Regards, >>> Norbert >>> >>> On Wed, Jan 22, 2020 at 5:31 PM Patrick Hunt <[email protected]> wrote: >>> >>>> owasp is failing on branch-3.5, >>>> [ERROR] jackson-databind-2.9.10.1.jar: CVE-2019-20330 >>>> >>>> seems the same as: >>>> https://issues.apache.org/jira/browse/ZOOKEEPER-3699 >>>> >>>> Patrick >>>> >>>> On Wed, Jan 22, 2020 at 5:12 AM Ivan Kelly <[email protected]> wrote: >>>> >>>> > > Would you have time for a quick fix ? >>>> > >>>> > The measures to avoid the problem are listed at the end of the JIRA >>>> > description. I can't submit a PR until I get permission from my >>>> > company legal to push to ZK. >>>> > >>>> > -Ivan >>>> > >>>> >>>
