-1 (binding) This vote is now cancelled and I'm creating another RC.
Thanks, Andor On Tue, 2024-10-08 at 09:29 -0600, tison wrote: > I don't think we use XmlStreamReader directly or transitively. But > upgrade to latest version is always worth to try and it can save > users > time to figure out whether they are affected by the CVE. > > Best, > tison. > > tison <wander4...@gmail.com> 于2024年10月8日周二 09:28写道: > > > > File https://github.com/apache/zookeeper/pull/2196 > > > > Once it's verified, we can bring it to branch-3.8 and branch-3.9. > > > > Best, > > tison. > > > > Andor Molnar <an...@apache.org> 于2024年10月8日周二 09:10写道: > > > > > > Sure. Let's fix this. > > > > > > Someone volunteer to create PR? > > > > > > fyi, I'll be out of town from Friday to next Tuesday, so the > > > release > > > might suffer some delay, apologies. > > > > > > Andor > > > > > > > > > > > > > > > On Tue, 2024-10-08 at 10:02 +0200, Szalay-Bekő Máté wrote: > > > > someone also created a related Jira ticket: > > > > https://issues.apache.org/jira/browse/ZOOKEEPER-4868 > > > > > > > > On Tue, Oct 8, 2024 at 9:35 AM Szalay-Bekő Máté > > > > <szalay.beko.m...@gmail.com> > > > > wrote: > > > > > > > > > I am also checking the release, and the dependency-check > > > > > maven task > > > > > just > > > > > failed for me: > > > > > > > > > > [ERROR] One or more dependencies were identified with > > > > > vulnerabilities that > > > > > have a CVSS score greater than or equal to '0.0': > > > > > [ERROR] > > > > > [ERROR] commons-io-2.11.0.jar: CVE-2024-47554(8.7) > > > > > > > > > > the CVE is a new one, about XmlStreamReader class: > > > > > https://nvd.nist.gov/vuln/detail/CVE-2024-47554 > > > > > > > > > > I had no time to check the code if we use this from commons- > > > > > io, but > > > > > regardless I think we should consider a new RC. > > > > > What do you think? > > > > > > > > > > Best Regards, > > > > > Máté > > > > > > > > > > On Tue, Oct 8, 2024 at 12:37 AM tison <wander4...@gmail.com> > > > > > wrote: > > > > > > > > > > > +1 (binding) > > > > > > > > > > > > - download link valid > > > > > > - checksum matches > > > > > > - signature valid > > > > > > > > > > > > gpg: Signature made 二 10/ 1 14:32:16 2024 MDT > > > > > > gpg: using RSA key > > > > > > 3F7A1D16FA4217B1DC75E1C9FFE35B7F15DFA1BA > > > > > > gpg: issuer "an...@apache.org" > > > > > > gpg: Good signature from "Andor Molnar <an...@apache.org>" > > > > > > [unknown] > > > > > > gpg: WARNING: The key's User ID is not certified with a > > > > > > trusted > > > > > > signature! > > > > > > gpg: There is no indication that the signature > > > > > > belongs > > > > > > to the > > > > > > owner. > > > > > > Primary key fingerprint: 3F7A 1D16 FA42 17B1 DC75 E1C9 > > > > > > FFE3 5B7F > > > > > > 15DF > > > > > > A1BA > > > > > > > > > > > > - license and notice ok > > > > > > - can build from sources > > > > > > - play with binary doesn't fail > > > > > > > > > > > > Best, > > > > > > tison. > > > > > > > > > > > > Andor Molnar <an...@apache.org> 于2024年10月7日周一 16:08写道: > > > > > > > > > > > > > > +1 (binding) > > > > > > > > > > > > > > - release notes looks good > > > > > > > - signatures and checksum OK > > > > > > > - Java and CPP build and unit tests passed on Ubuntu > > > > > > > 24.04 with > > > > > > > OpenJDK > > > > > > > version "11.0.12" > > > > > > > - spotbugs check OK > > > > > > > - checkstyle check OK > > > > > > > - owasp dependency check OK > > > > > > > - quorum created successfully with quorum TLS and client > > > > > > > TLS > > > > > > > (both from > > > > > > > source and binary) > > > > > > > - some basic smoke tests OK (create, get, set, etc.) > > > > > > > - zk-smoketests.py, zk-latencies.py OK > > > > > > > > > > > > > > Confirmed that full-build and unit tests doesn't work > > > > > > > with JDK > > > > > > > 17. Not > > > > > > > a showstopper, but ticket should be opened if you want to > > > > > > > support it. > > > > > > > > > > > > > > Andor > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, 2024-10-01 at 16:28 -0500, Andor Molnar wrote: > > > > > > > > This is a release candidate for 3.9.3. > > > > > > > > > > > > > > > > This is a bugfix release for the 3.9 release line. > > > > > > > > Includes > > > > > > > > important > > > > > > > > dependency upgrades to address CVEs, several bug- and > > > > > > > > performance > > > > > > > > fixes. > > > > > > > > > > > > > > > > The full release notes is available at: > > > > > > > > > > > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12354432 > > > > > > > > > > > > > > > > *** Please download, test and vote by October 7th 2024, > > > > > > > > 23:59 > > > > > > > > UTC+0. > > > > > > > > *** > > > > > > > > > > > > > > > > Source files: > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.3-candidate-0/ > > > > > > > > > > > > > > > > Maven staging repo: > > > > > > > > > > > > > > https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.9.3/ > > > > > > > > > > > > > > > > The release candidate tag in git to be voted upon: > > > > > > > > release- > > > > > > > > 3.9.3-0 > > > > > > > > https://github.com/apache/zookeeper/tree/release-3.9.3-0 > > > > > > > > > > > > > > > > ZooKeeper's KEYS file containing PGP keys we use to > > > > > > > > sign the > > > > > > > > release: > > > > > > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > > > > > > > > > > > The staging version of the website is: > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.9.3-candidate-0/website/index.html > > > > > > > > > > > > > > > > > > > > > > > > Should we release this candidate? > > > > > > > > > > > > > > > > Andor > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
