someone also created a related Jira ticket: https://issues.apache.org/jira/browse/ZOOKEEPER-4868
On Tue, Oct 8, 2024 at 9:35 AM Szalay-Bekő Máté <szalay.beko.m...@gmail.com> wrote: > I am also checking the release, and the dependency-check maven task just > failed for me: > > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] commons-io-2.11.0.jar: CVE-2024-47554(8.7) > > the CVE is a new one, about XmlStreamReader class: > https://nvd.nist.gov/vuln/detail/CVE-2024-47554 > > I had no time to check the code if we use this from commons-io, but > regardless I think we should consider a new RC. > What do you think? > > Best Regards, > Máté > > On Tue, Oct 8, 2024 at 12:37 AM tison <wander4...@gmail.com> wrote: > >> +1 (binding) >> >> - download link valid >> - checksum matches >> - signature valid >> >> gpg: Signature made 二 10/ 1 14:32:16 2024 MDT >> gpg: using RSA key 3F7A1D16FA4217B1DC75E1C9FFE35B7F15DFA1BA >> gpg: issuer "an...@apache.org" >> gpg: Good signature from "Andor Molnar <an...@apache.org>" [unknown] >> gpg: WARNING: The key's User ID is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the >> owner. >> Primary key fingerprint: 3F7A 1D16 FA42 17B1 DC75 E1C9 FFE3 5B7F 15DF >> A1BA >> >> - license and notice ok >> - can build from sources >> - play with binary doesn't fail >> >> Best, >> tison. >> >> Andor Molnar <an...@apache.org> 于2024年10月7日周一 16:08写道: >> > >> > +1 (binding) >> > >> > - release notes looks good >> > - signatures and checksum OK >> > - Java and CPP build and unit tests passed on Ubuntu 24.04 with OpenJDK >> > version "11.0.12" >> > - spotbugs check OK >> > - checkstyle check OK >> > - owasp dependency check OK >> > - quorum created successfully with quorum TLS and client TLS (both from >> > source and binary) >> > - some basic smoke tests OK (create, get, set, etc.) >> > - zk-smoketests.py, zk-latencies.py OK >> > >> > Confirmed that full-build and unit tests doesn't work with JDK 17. Not >> > a showstopper, but ticket should be opened if you want to support it. >> > >> > Andor >> > >> > >> > >> > >> > On Tue, 2024-10-01 at 16:28 -0500, Andor Molnar wrote: >> > > This is a release candidate for 3.9.3. >> > > >> > > This is a bugfix release for the 3.9 release line. Includes important >> > > dependency upgrades to address CVEs, several bug- and performance >> > > fixes. >> > > >> > > The full release notes is available at: >> > > >> > > >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12354432 >> > > >> > > *** Please download, test and vote by October 7th 2024, 23:59 UTC+0. >> > > *** >> > > >> > > Source files: >> > > >> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.3-candidate-0/ >> > > >> > > Maven staging repo: >> > > >> https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.9.3/ >> > > >> > > The release candidate tag in git to be voted upon: release-3.9.3-0 >> > > https://github.com/apache/zookeeper/tree/release-3.9.3-0 >> > > >> > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: >> > > https://www.apache.org/dist/zookeeper/KEYS >> > > >> > > The staging version of the website is: >> > > >> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.3-candidate-0/website/index.html >> > > >> > > >> > > Should we release this candidate? >> > > >> > > Andor >> > > >> > > >> > >> >
