I don't think we use XmlStreamReader directly or transitively. But upgrade to latest version is always worth to try and it can save users time to figure out whether they are affected by the CVE.
Best, tison. tison <wander4...@gmail.com> 于2024年10月8日周二 09:28写道: > > File https://github.com/apache/zookeeper/pull/2196 > > Once it's verified, we can bring it to branch-3.8 and branch-3.9. > > Best, > tison. > > Andor Molnar <an...@apache.org> 于2024年10月8日周二 09:10写道: > > > > Sure. Let's fix this. > > > > Someone volunteer to create PR? > > > > fyi, I'll be out of town from Friday to next Tuesday, so the release > > might suffer some delay, apologies. > > > > Andor > > > > > > > > > > On Tue, 2024-10-08 at 10:02 +0200, Szalay-Bekő Máté wrote: > > > someone also created a related Jira ticket: > > > https://issues.apache.org/jira/browse/ZOOKEEPER-4868 > > > > > > On Tue, Oct 8, 2024 at 9:35 AM Szalay-Bekő Máté > > > <szalay.beko.m...@gmail.com> > > > wrote: > > > > > > > I am also checking the release, and the dependency-check maven task > > > > just > > > > failed for me: > > > > > > > > [ERROR] One or more dependencies were identified with > > > > vulnerabilities that > > > > have a CVSS score greater than or equal to '0.0': > > > > [ERROR] > > > > [ERROR] commons-io-2.11.0.jar: CVE-2024-47554(8.7) > > > > > > > > the CVE is a new one, about XmlStreamReader class: > > > > https://nvd.nist.gov/vuln/detail/CVE-2024-47554 > > > > > > > > I had no time to check the code if we use this from commons-io, but > > > > regardless I think we should consider a new RC. > > > > What do you think? > > > > > > > > Best Regards, > > > > Máté > > > > > > > > On Tue, Oct 8, 2024 at 12:37 AM tison <wander4...@gmail.com> wrote: > > > > > > > > > +1 (binding) > > > > > > > > > > - download link valid > > > > > - checksum matches > > > > > - signature valid > > > > > > > > > > gpg: Signature made 二 10/ 1 14:32:16 2024 MDT > > > > > gpg: using RSA key > > > > > 3F7A1D16FA4217B1DC75E1C9FFE35B7F15DFA1BA > > > > > gpg: issuer "an...@apache.org" > > > > > gpg: Good signature from "Andor Molnar <an...@apache.org>" > > > > > [unknown] > > > > > gpg: WARNING: The key's User ID is not certified with a trusted > > > > > signature! > > > > > gpg: There is no indication that the signature belongs > > > > > to the > > > > > owner. > > > > > Primary key fingerprint: 3F7A 1D16 FA42 17B1 DC75 E1C9 FFE3 5B7F > > > > > 15DF > > > > > A1BA > > > > > > > > > > - license and notice ok > > > > > - can build from sources > > > > > - play with binary doesn't fail > > > > > > > > > > Best, > > > > > tison. > > > > > > > > > > Andor Molnar <an...@apache.org> 于2024年10月7日周一 16:08写道: > > > > > > > > > > > > +1 (binding) > > > > > > > > > > > > - release notes looks good > > > > > > - signatures and checksum OK > > > > > > - Java and CPP build and unit tests passed on Ubuntu 24.04 with > > > > > > OpenJDK > > > > > > version "11.0.12" > > > > > > - spotbugs check OK > > > > > > - checkstyle check OK > > > > > > - owasp dependency check OK > > > > > > - quorum created successfully with quorum TLS and client TLS > > > > > > (both from > > > > > > source and binary) > > > > > > - some basic smoke tests OK (create, get, set, etc.) > > > > > > - zk-smoketests.py, zk-latencies.py OK > > > > > > > > > > > > Confirmed that full-build and unit tests doesn't work with JDK > > > > > > 17. Not > > > > > > a showstopper, but ticket should be opened if you want to > > > > > > support it. > > > > > > > > > > > > Andor > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, 2024-10-01 at 16:28 -0500, Andor Molnar wrote: > > > > > > > This is a release candidate for 3.9.3. > > > > > > > > > > > > > > This is a bugfix release for the 3.9 release line. Includes > > > > > > > important > > > > > > > dependency upgrades to address CVEs, several bug- and > > > > > > > performance > > > > > > > fixes. > > > > > > > > > > > > > > The full release notes is available at: > > > > > > > > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12354432 > > > > > > > > > > > > > > *** Please download, test and vote by October 7th 2024, 23:59 > > > > > > > UTC+0. > > > > > > > *** > > > > > > > > > > > > > > Source files: > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.3-candidate-0/ > > > > > > > > > > > > > > Maven staging repo: > > > > > > > > > > > > https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.9.3/ > > > > > > > > > > > > > > The release candidate tag in git to be voted upon: release- > > > > > > > 3.9.3-0 > > > > > > > https://github.com/apache/zookeeper/tree/release-3.9.3-0 > > > > > > > > > > > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the > > > > > > > release: > > > > > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > > > > > > > > > The staging version of the website is: > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.3-candidate-0/website/index.html > > > > > > > > > > > > > > > > > > > > > Should we release this candidate? > > > > > > > > > > > > > > Andor > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
