Hello All, in relation to the 3.5.8 release I was taking a look to https://issues.apache.org/jira/browse/ZOOKEEPER-3817
It is about a new CVE (https://nvd.nist.gov/vuln/detail/CVE-2020-9488) what describes a weakness for log4j SmtpAppender. If I am right, this can affect any log4j user who configures SmtpAppender for ZooKeeper. Unfortunately the log4j 1.2 we use is EOL and this fix can be done only by upgrading to log4j 2. I am not sure how are we doing with log4j 2. I found this ticket ( https://issues.apache.org/jira/browse/ZOOKEEPER-2342) which is open for some time. But there are some promising recent comments there about "log4j bridge" that should make this transition easier: http://logging.apache.org/log4j/2.x/manual/migration.html Questions for anyone (but mostly for the PMCs): What do you think? Can we suppress this CVE (saying that SmtpAppender is unlikely to be used with ZooKeeper)? If you think we can't suppress but need to focus on log4j upgrade, then will this postpone the 3.5.8 release? Kind regards, Mate
