Yeah, that would remove the burden of maintaining the 3.8 version line, but 3.9.x versions still don’t have logback and slf4j upgraded, still flagged by the Owasp build and users will probably still complain about CVEs.
My question is what should we do on branches other than the master? 1. Backport logback and slf4j upgrades from master, or 2. Add Owasp suppression rule to skip checking these libraries completely. I need to answer this question before going forward with the 3.9.4 release. Regards, Andor > On Aug 6, 2025, at 13:39, Christopher <ctubb...@apache.org> wrote: > > +1 to that idea. > > The releases page[1] says "Apache ZooKeeper 3.9.3 is our current > release, and 3.8.4 our latest stable release". Is 3.9 sufficiently > stable to replace 3.8 as the current "stable"? If the answer is yes, > then I think it makes sense to EOL 3.8. > > [1]: https://zookeeper.apache.org/releases.html#download > > On Mon, Aug 4, 2025 at 2:52 PM Patrick Hunt <ph...@apache.org> wrote: >> >> Should we sunset that minor release due to the "unfixable" security issue >> and EOL of dependenc(ies)? >> >> Patrick >> >> On Mon, Aug 4, 2025 at 10:03 AM Andor Molnar <an...@apache.org> wrote: >> >>> Yeah, I agree with that, but we can’t leave things here just like that. >>> Either we should keep updating the logging libraries on all active branches >>> or add the necessary suppression to Owasp. Otherwise the report result will >>> be completely meaningless. >>> >>> Andor >>> >>> >>> >>>> On Aug 4, 2025, at 08:21, Christopher <ctubb...@apache.org> wrote: >>>> >>>> Yes, that is basically my concern. I commented at >>>> https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665 >>>> >>>> On Fri, Aug 1, 2025, 18:43 Andor Molnar <an...@apache.org> wrote: >>>> >>>>> Christopher raised concern about it in >>>>> >>>>> >>> https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 >>>>> >>>>> I suspect because SLF4j has to be major upgraded with logback 1.x -> 2.x >>>>> which should not be done in bugfix releases. >>>>> >>>>> I’m not sure. Maybe we should just add another Owasp suppression, but >>> that >>>>> wouldn’t be appropriate either. >>>>> >>>>> Andor >>>>> >>>>> >>>>> >>>>>> On Jul 30, 2025, at 18:39, Andor Molnar <an...@apache.org> wrote: >>>>>> >>>>>> That’s my understanding too, but looks like folks skipped even the 3.9 >>>>> backport in the case of logback. >>>>>> >>>>>> Andor >>>>>> >>>>>> >>>>>> >>>>>>> On Jul 30, 2025, at 16:36, Patrick Hunt <ph...@apache.org> wrote: >>>>>>> >>>>>>> My understanding, I thought the rule was to backport any patch to all >>> of >>>>>>> the active releases unless it's a new feature. Perhaps ask the folks >>> who >>>>>>> committed? >>>>>>> >>>>>>> Patrick >>>>>>> >>>>>>> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org> >>> wrote: >>>>>>> >>>>>>>> Hi folks, >>>>>>>> >>>>>>>> Currently I’m working on some backports, because OWASP reports CVEs >>> on >>>>> the >>>>>>>> 3.8 branch and noticed in the PRs that we should only upgrade logback >>>>> on >>>>>>>> the master branch. Why is that? >>>>>>>> >>>>>>>> logback-core-1.2.13.jar (pkg:maven/ch.qos.logback/logback-core@1.2.13 >>> , >>>>>>>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, >>>>> CVE-2024-12801 >>>>>>>> >>>>>>>> Regards, >>>>>>>> Andor >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>>> >>>>> >>> >>>
