Enrico, Thanks for the reply!
> Those CVEs are about library upgrades. > Can you please double check if we already upgraded those libraries? The required fix version for netty is 4.1.86.Final. It looks like the 3.8 branch is sitting at 4.1.7[36].Final https://github.com/apache/zookeeper/blob/branch-3.8/pom.xml#L470 https://github.com/apache/zookeeper/blob/branch-3.8.0/pom.xml#L470 Likewise Jackson should be 2.13.2.1 but I see 2.13.1 in the 3.8 branch > I think that it would only be a matter of cutting a release. It has been > quite some time that we didn't cut a release out of he 3.8 branch. We can do > it. We would certainly appreciate you cutting 3.8.1 > Jackson is usually easily upgradable and Netty requires only some testing. > If you can't wait for a release you could upgrade those libraries and build your package We are considering this. Thanks! Ben
