Sorry for the confusion, I picked 3.8 as an example, but logback/slf4j upgrades haven’t been backported to 3.9 either. Therefore I created the following backport PR:
https://github.com/apache/zookeeper/pull/2290 > "Why would they be applied to master and not to any active (release) line? Since we’ve already released 3.9.3 with logback 1.2.13 and don’t want users to realize 1.2->1.3 logback upgrade in a 3.9.3->3.9.4 ZooKeeper upgrade process, although this upgrade is necessary anyways to address the CVE in question. (in my understanding) Andor > On Aug 6, 2025, at 15:34, Patrick Hunt <ph...@apache.org> wrote: > > I'm confused - this thread started with "OWASP reports CVEs on the 3.8 > branch and noticed in the PRs that we should only upgrade logback on the > master branch" - I read that as "some fixes on 3.9 are not backported to > 3.8". But you are saying that this is not fixed (still owasp warnings) on > 3.9 which is separate from master? Why would they be applied to master and > not to any active (release) line? What is the impact of the changes on > master and 3.9? iiuc there are backward incompatible changes if applied to > 3.8? There should not be b/w incompatible changes applied to any 3.x (incl > master, a future 3.x...) release. > > Patrick > > On Wed, Aug 6, 2025 at 1:16 PM Andor Molnar <an...@apache.org> wrote: > >> Yeah, that would remove the burden of maintaining the 3.8 version line, >> but 3.9.x versions still don’t have logback and slf4j upgraded, still >> flagged by the Owasp build and users will probably still complain about >> CVEs. >> >> My question is what should we do on branches other than the master? >> >> 1. Backport logback and slf4j upgrades from master, or >> 2. Add Owasp suppression rule to skip checking these libraries completely. >> >> I need to answer this question before going forward with the 3.9.4 release. >> >> Regards, >> Andor >> >> >> >>> On Aug 6, 2025, at 13:39, Christopher <ctubb...@apache.org> wrote: >>> >>> +1 to that idea. >>> >>> The releases page[1] says "Apache ZooKeeper 3.9.3 is our current >>> release, and 3.8.4 our latest stable release". Is 3.9 sufficiently >>> stable to replace 3.8 as the current "stable"? If the answer is yes, >>> then I think it makes sense to EOL 3.8. >>> >>> [1]: https://zookeeper.apache.org/releases.html#download >>> >>> On Mon, Aug 4, 2025 at 2:52 PM Patrick Hunt <ph...@apache.org> wrote: >>>> >>>> Should we sunset that minor release due to the "unfixable" security >> issue >>>> and EOL of dependenc(ies)? >>>> >>>> Patrick >>>> >>>> On Mon, Aug 4, 2025 at 10:03 AM Andor Molnar <an...@apache.org> wrote: >>>> >>>>> Yeah, I agree with that, but we can’t leave things here just like that. >>>>> Either we should keep updating the logging libraries on all active >> branches >>>>> or add the necessary suppression to Owasp. Otherwise the report result >> will >>>>> be completely meaningless. >>>>> >>>>> Andor >>>>> >>>>> >>>>> >>>>>> On Aug 4, 2025, at 08:21, Christopher <ctubb...@apache.org> wrote: >>>>>> >>>>>> Yes, that is basically my concern. I commented at >>>>>> https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665 >>>>>> >>>>>> On Fri, Aug 1, 2025, 18:43 Andor Molnar <an...@apache.org> wrote: >>>>>> >>>>>>> Christopher raised concern about it in >>>>>>> >>>>>>> >>>>> >> https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 >>>>>>> >>>>>>> I suspect because SLF4j has to be major upgraded with logback 1.x -> >> 2.x >>>>>>> which should not be done in bugfix releases. >>>>>>> >>>>>>> I’m not sure. Maybe we should just add another Owasp suppression, but >>>>> that >>>>>>> wouldn’t be appropriate either. >>>>>>> >>>>>>> Andor >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Jul 30, 2025, at 18:39, Andor Molnar <an...@apache.org> wrote: >>>>>>>> >>>>>>>> That’s my understanding too, but looks like folks skipped even the >> 3.9 >>>>>>> backport in the case of logback. >>>>>>>> >>>>>>>> Andor >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Jul 30, 2025, at 16:36, Patrick Hunt <ph...@apache.org> wrote: >>>>>>>>> >>>>>>>>> My understanding, I thought the rule was to backport any patch to >> all >>>>> of >>>>>>>>> the active releases unless it's a new feature. Perhaps ask the >> folks >>>>> who >>>>>>>>> committed? >>>>>>>>> >>>>>>>>> Patrick >>>>>>>>> >>>>>>>>> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org> >>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi folks, >>>>>>>>>> >>>>>>>>>> Currently I’m working on some backports, because OWASP reports >> CVEs >>>>> on >>>>>>> the >>>>>>>>>> 3.8 branch and noticed in the PRs that we should only upgrade >> logback >>>>>>> on >>>>>>>>>> the master branch. Why is that? >>>>>>>>>> >>>>>>>>>> logback-core-1.2.13.jar >> (pkg:maven/ch.qos.logback/logback-core@1.2.13 >>>>> , >>>>>>>>>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, >>>>>>> CVE-2024-12801 >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Andor >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>> >>>>> >> >>
