Hi Ben, Let me check this. I triggered an owasp check build on Apache CI: https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/branch-3.8.1/7/
Btw, Enrico, we're still having both 3.8.0 and 3.8.1 releases on the web page as separate release lines. Would you mind if I submit a change to the webpage to remove 3.8.0? Not sure who I talked about it, it was long time ago. Regards, Andor On Thu, 2023-05-18 at 17:54 +0000, Ben Johnston wrote: > > version of zookeeper we are using is 3.8.0 > > The latest zookeeper release is 3.8.1 ( > https://github.com/apache/zookeeper/releases/tag/release-3.8.1) that > included a number of bugfixes, probably some that are in your list > > The 3.8.1 does have a medium and low CVE that are on the jetty > server. CVE-2023-26048 and CVE-2023-26049. When might the team do a > release to do security fixes? > > Thanks, > > Ben Johnston, GCIH, GCFA, GPEN > Application Security Engineer > COFENSE > o. 785-250-4412 > e. ben.johns...@cofense.com > > Connect with Cofense: > > > > > > From: Dilip anand (Jira) <j...@apache.org> > Date: Tuesday, May 16, 2023 at 11:34 AM > To: dev@zookeeper.apache.org <dev@zookeeper.apache.org> > Subject: [jira] [Created] (ZOOKEEPER-4696) Update for Zookeeper > latest version > > External Email > > Dilip anand created ZOOKEEPER-4696: > -------------------------------------- > > Summary: Update for Zookeeper latest version > Key: ZOOKEEPER-4696 > URL: > https://issues.apache.org/jira/browse/ZOOKEEPER-4696 > Project: ZooKeeper > Issue Type: Bug > Reporter: Dilip anand > > > Hi team, > > We ran a scan for security vulnerability fixes,we have seen > CVE's that are affected for zookeeper and version of zookeeper we are > using is 3.8.0 .Here are the CVE's which are affected with zookeeper > CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE-2022- > 22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE- > 2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023- > 23916 which do not have any reports in red hat website. we want to > know what version of zookeeper will clear these CVEs and when it'll > be released? > > Regards, > Dilip > > > > -- > This message was sent by Atlassian Jira > (v8.20.10#820010)
