Il Ven 31 Gen 2020, 16:16 Craig.Condit <craig.con...@target.com> ha scritto:
> Would it be possible to get ZOOKEEPER-3638 included in 3.5.7 as well? I thought it already went in we really must include it. Enrico The version of Jetty included in 3.5.6 breaks the admin server. We have > been running a backport of 3638 (which just upgrades to a later version) > successfully on 3.5.6 here without issue. > > Thanks, > > Craig Condit > > > ________________________________ > From: Norbert Kalmar <nkal...@cloudera.com.INVALID> > Sent: Thursday, January 30, 2020 3:06 PM > To: DevZooKeeper <dev@zookeeper.apache.org> > Subject: [EXTERNAL] Re: 3.5.7 > > Hi all, > > Just a heads up. > > All patch that we wanted (as far as I'm aware, let me know if you miss > something) for the 3.5.7 release has been committed to branch 3.5. Mainly > this was: > - ZOOKEEPER-3701 (split brain) > - ZOOKEEPER-3482 (some SASL stuff) > - ZOOKEEPER-3699 (fix CVE about Jackson) > > And a few other nice to haves (like ZOOKEEPER-1105 C client WARN msg fix) > that also made it. > > I started testing the 3.5 branch and I will create a release branch soon > (probably tomorrow). > > Regards, > Norbert > > On Mon, Jan 27, 2020 at 11:30 AM Norbert Kalmar <nkal...@cloudera.com> > wrote: > > > Only blocker left for 3.5.7 is ZOOKEEPER-3701, patch available here: > > https://github.com/apache/zookeeper/pull/1233 > > > > I'll wait another 0.5-1 day if anyone wants to take a look at it. Then > > I'll commit and start the 3.5.7 release process. > > > > Thanks, > > Norbert > > > > On Thu, Jan 23, 2020 at 11:29 AM Norbert Kalmar <nkal...@cloudera.com> > > wrote: > > > >> The patch fixed the CVE warning > >> https://builds.apache.org/job/zookeeper-master-maven-owasp/339/ > >> > >> Norbert > >> > >> On Thu, Jan 23, 2020 at 11:07 AM Norbert Kalmar <nkal...@cloudera.com> > >> wrote: > >> > >>> Thanks Patrick, I'll review and preferably commit your patch, which > >>> should negate the CVE warning. > >>> > >>> Regards, > >>> Norbert > >>> > >>> On Wed, Jan 22, 2020 at 5:31 PM Patrick Hunt <ph...@apache.org> wrote: > >>> > >>>> owasp is failing on branch-3.5, > >>>> [ERROR] jackson-databind-2.9.10.1.jar: CVE-2019-20330 > >>>> > >>>> seems the same as: > >>>> https://issues.apache.org/jira/browse/ZOOKEEPER-3699 > >>>> > >>>> Patrick > >>>> > >>>> On Wed, Jan 22, 2020 at 5:12 AM Ivan Kelly <iv...@apache.org> wrote: > >>>> > >>>> > > Would you have time for a quick fix ? > >>>> > > >>>> > The measures to avoid the problem are listed at the end of the JIRA > >>>> > description. I can't submit a PR until I get permission from my > >>>> > company legal to push to ZK. > >>>> > > >>>> > -Ivan > >>>> > > >>>> > >>> >
