I'm confused - this thread started with "OWASP reports CVEs on the 3.8 branch and noticed in the PRs that we should only upgrade logback on the master branch" - I read that as "some fixes on 3.9 are not backported to 3.8". But you are saying that this is not fixed (still owasp warnings) on 3.9 which is separate from master? Why would they be applied to master and not to any active (release) line? What is the impact of the changes on master and 3.9? iiuc there are backward incompatible changes if applied to 3.8? There should not be b/w incompatible changes applied to any 3.x (incl master, a future 3.x...) release.
Patrick On Wed, Aug 6, 2025 at 1:16 PM Andor Molnar <[email protected]> wrote: > Yeah, that would remove the burden of maintaining the 3.8 version line, > but 3.9.x versions still don’t have logback and slf4j upgraded, still > flagged by the Owasp build and users will probably still complain about > CVEs. > > My question is what should we do on branches other than the master? > > 1. Backport logback and slf4j upgrades from master, or > 2. Add Owasp suppression rule to skip checking these libraries completely. > > I need to answer this question before going forward with the 3.9.4 release. > > Regards, > Andor > > > > > On Aug 6, 2025, at 13:39, Christopher <[email protected]> wrote: > > > > +1 to that idea. > > > > The releases page[1] says "Apache ZooKeeper 3.9.3 is our current > > release, and 3.8.4 our latest stable release". Is 3.9 sufficiently > > stable to replace 3.8 as the current "stable"? If the answer is yes, > > then I think it makes sense to EOL 3.8. > > > > [1]: https://zookeeper.apache.org/releases.html#download > > > > On Mon, Aug 4, 2025 at 2:52 PM Patrick Hunt <[email protected]> wrote: > >> > >> Should we sunset that minor release due to the "unfixable" security > issue > >> and EOL of dependenc(ies)? > >> > >> Patrick > >> > >> On Mon, Aug 4, 2025 at 10:03 AM Andor Molnar <[email protected]> wrote: > >> > >>> Yeah, I agree with that, but we can’t leave things here just like that. > >>> Either we should keep updating the logging libraries on all active > branches > >>> or add the necessary suppression to Owasp. Otherwise the report result > will > >>> be completely meaningless. > >>> > >>> Andor > >>> > >>> > >>> > >>>> On Aug 4, 2025, at 08:21, Christopher <[email protected]> wrote: > >>>> > >>>> Yes, that is basically my concern. I commented at > >>>> https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665 > >>>> > >>>> On Fri, Aug 1, 2025, 18:43 Andor Molnar <[email protected]> wrote: > >>>> > >>>>> Christopher raised concern about it in > >>>>> > >>>>> > >>> > https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 > >>>>> > >>>>> I suspect because SLF4j has to be major upgraded with logback 1.x -> > 2.x > >>>>> which should not be done in bugfix releases. > >>>>> > >>>>> I’m not sure. Maybe we should just add another Owasp suppression, but > >>> that > >>>>> wouldn’t be appropriate either. > >>>>> > >>>>> Andor > >>>>> > >>>>> > >>>>> > >>>>>> On Jul 30, 2025, at 18:39, Andor Molnar <[email protected]> wrote: > >>>>>> > >>>>>> That’s my understanding too, but looks like folks skipped even the > 3.9 > >>>>> backport in the case of logback. > >>>>>> > >>>>>> Andor > >>>>>> > >>>>>> > >>>>>> > >>>>>>> On Jul 30, 2025, at 16:36, Patrick Hunt <[email protected]> wrote: > >>>>>>> > >>>>>>> My understanding, I thought the rule was to backport any patch to > all > >>> of > >>>>>>> the active releases unless it's a new feature. Perhaps ask the > folks > >>> who > >>>>>>> committed? > >>>>>>> > >>>>>>> Patrick > >>>>>>> > >>>>>>> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <[email protected]> > >>> wrote: > >>>>>>> > >>>>>>>> Hi folks, > >>>>>>>> > >>>>>>>> Currently I’m working on some backports, because OWASP reports > CVEs > >>> on > >>>>> the > >>>>>>>> 3.8 branch and noticed in the PRs that we should only upgrade > logback > >>>>> on > >>>>>>>> the master branch. Why is that? > >>>>>>>> > >>>>>>>> logback-core-1.2.13.jar > (pkg:maven/ch.qos.logback/[email protected] > >>> , > >>>>>>>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, > >>>>> CVE-2024-12801 > >>>>>>>> > >>>>>>>> Regards, > >>>>>>>> Andor > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>> > >>>>> > >>>>> > >>> > >>> > >
