Should we sunset that minor release due to the "unfixable" security issue and EOL of dependenc(ies)?
Patrick On Mon, Aug 4, 2025 at 10:03 AM Andor Molnar <an...@apache.org> wrote: > Yeah, I agree with that, but we can’t leave things here just like that. > Either we should keep updating the logging libraries on all active branches > or add the necessary suppression to Owasp. Otherwise the report result will > be completely meaningless. > > Andor > > > > > On Aug 4, 2025, at 08:21, Christopher <ctubb...@apache.org> wrote: > > > > Yes, that is basically my concern. I commented at > > https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665 > > > > On Fri, Aug 1, 2025, 18:43 Andor Molnar <an...@apache.org> wrote: > > > >> Christopher raised concern about it in > >> > >> > https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 > >> > >> I suspect because SLF4j has to be major upgraded with logback 1.x -> 2.x > >> which should not be done in bugfix releases. > >> > >> I’m not sure. Maybe we should just add another Owasp suppression, but > that > >> wouldn’t be appropriate either. > >> > >> Andor > >> > >> > >> > >>> On Jul 30, 2025, at 18:39, Andor Molnar <an...@apache.org> wrote: > >>> > >>> That’s my understanding too, but looks like folks skipped even the 3.9 > >> backport in the case of logback. > >>> > >>> Andor > >>> > >>> > >>> > >>>> On Jul 30, 2025, at 16:36, Patrick Hunt <ph...@apache.org> wrote: > >>>> > >>>> My understanding, I thought the rule was to backport any patch to all > of > >>>> the active releases unless it's a new feature. Perhaps ask the folks > who > >>>> committed? > >>>> > >>>> Patrick > >>>> > >>>> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org> > wrote: > >>>> > >>>>> Hi folks, > >>>>> > >>>>> Currently I’m working on some backports, because OWASP reports CVEs > on > >> the > >>>>> 3.8 branch and noticed in the PRs that we should only upgrade logback > >> on > >>>>> the master branch. Why is that? > >>>>> > >>>>> logback-core-1.2.13.jar (pkg:maven/ch.qos.logback/logback-core@1.2.13 > , > >>>>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, > >> CVE-2024-12801 > >>>>> > >>>>> Regards, > >>>>> Andor > >>>>> > >>>>> > >>>>> > >>> > >> > >> > >
