Hello, before cutting new release we have to fix these issues: [2022-01-25T13:12:17.229Z] netty-transport-4.1.70.Final.jar (pkg:maven/io.netty/netty-transport@4.1.70.Final, cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797 [2022-01-25T13:12:17.229Z] log4j-1.2.17.jar (pkg:maven/log4j/log4j@1.2.17, cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*) : CVE-2021-4104, CVE-2022-23307
For Netty the fix is easy and I am going to send a patch soon. For Log4j we are at this point: - for 3.8 we are migrating to LogBack - for 3.6 and 3.7 we are stuck to log4j1 One "compatible" option for 3.6 and 3.7 is to migrate to https://reload4j.qos.ch/ See https://ci-hadoop.apache.org/blue/organizations/jenkins/zookeeper-multi-branch-owasp Enrico
