Is the only problem the minor "semantic" upgrade of logback in a fix release of zk? That should be stable (contract wise) on the dependency, right? Or is there some real impact, eg b/w incompat change visible to ZK users? If the former that seems fine, if the latter then we have a harder problem to address. (security issue breaking b/w compat)
Patrick On Wed, Aug 6, 2025 at 2:36 PM Andor Molnar <an...@apache.org> wrote: > Sorry for the confusion, I picked 3.8 as an example, but logback/slf4j > upgrades haven’t been backported to 3.9 either. Therefore I created the > following backport PR: > > https://github.com/apache/zookeeper/pull/2290 > > > > "Why would they be applied to master and not to any active (release) > line? > > Since we’ve already released 3.9.3 with logback 1.2.13 and don’t want > users to realize 1.2->1.3 logback upgrade in a 3.9.3->3.9.4 ZooKeeper > upgrade process, although this upgrade is necessary anyways to address the > CVE in question. > > (in my understanding) > > Andor > > > > > > On Aug 6, 2025, at 15:34, Patrick Hunt <ph...@apache.org> wrote: > > > > I'm confused - this thread started with "OWASP reports CVEs on the 3.8 > > branch and noticed in the PRs that we should only upgrade logback on the > > master branch" - I read that as "some fixes on 3.9 are not backported to > > 3.8". But you are saying that this is not fixed (still owasp warnings) on > > 3.9 which is separate from master? Why would they be applied to master > and > > not to any active (release) line? What is the impact of the changes on > > master and 3.9? iiuc there are backward incompatible changes if applied > to > > 3.8? There should not be b/w incompatible changes applied to any 3.x > (incl > > master, a future 3.x...) release. > > > > Patrick > > > > On Wed, Aug 6, 2025 at 1:16 PM Andor Molnar <an...@apache.org> wrote: > > > >> Yeah, that would remove the burden of maintaining the 3.8 version line, > >> but 3.9.x versions still don’t have logback and slf4j upgraded, still > >> flagged by the Owasp build and users will probably still complain about > >> CVEs. > >> > >> My question is what should we do on branches other than the master? > >> > >> 1. Backport logback and slf4j upgrades from master, or > >> 2. Add Owasp suppression rule to skip checking these libraries > completely. > >> > >> I need to answer this question before going forward with the 3.9.4 > release. > >> > >> Regards, > >> Andor > >> > >> > >> > >>> On Aug 6, 2025, at 13:39, Christopher <ctubb...@apache.org> wrote: > >>> > >>> +1 to that idea. > >>> > >>> The releases page[1] says "Apache ZooKeeper 3.9.3 is our current > >>> release, and 3.8.4 our latest stable release". Is 3.9 sufficiently > >>> stable to replace 3.8 as the current "stable"? If the answer is yes, > >>> then I think it makes sense to EOL 3.8. > >>> > >>> [1]: https://zookeeper.apache.org/releases.html#download > >>> > >>> On Mon, Aug 4, 2025 at 2:52 PM Patrick Hunt <ph...@apache.org> wrote: > >>>> > >>>> Should we sunset that minor release due to the "unfixable" security > >> issue > >>>> and EOL of dependenc(ies)? > >>>> > >>>> Patrick > >>>> > >>>> On Mon, Aug 4, 2025 at 10:03 AM Andor Molnar <an...@apache.org> > wrote: > >>>> > >>>>> Yeah, I agree with that, but we can’t leave things here just like > that. > >>>>> Either we should keep updating the logging libraries on all active > >> branches > >>>>> or add the necessary suppression to Owasp. Otherwise the report > result > >> will > >>>>> be completely meaningless. > >>>>> > >>>>> Andor > >>>>> > >>>>> > >>>>> > >>>>>> On Aug 4, 2025, at 08:21, Christopher <ctubb...@apache.org> wrote: > >>>>>> > >>>>>> Yes, that is basically my concern. I commented at > >>>>>> > https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665 > >>>>>> > >>>>>> On Fri, Aug 1, 2025, 18:43 Andor Molnar <an...@apache.org> wrote: > >>>>>> > >>>>>>> Christopher raised concern about it in > >>>>>>> > >>>>>>> > >>>>> > >> > https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 > >>>>>>> > >>>>>>> I suspect because SLF4j has to be major upgraded with logback 1.x > -> > >> 2.x > >>>>>>> which should not be done in bugfix releases. > >>>>>>> > >>>>>>> I’m not sure. Maybe we should just add another Owasp suppression, > but > >>>>> that > >>>>>>> wouldn’t be appropriate either. > >>>>>>> > >>>>>>> Andor > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> On Jul 30, 2025, at 18:39, Andor Molnar <an...@apache.org> wrote: > >>>>>>>> > >>>>>>>> That’s my understanding too, but looks like folks skipped even the > >> 3.9 > >>>>>>> backport in the case of logback. > >>>>>>>> > >>>>>>>> Andor > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> On Jul 30, 2025, at 16:36, Patrick Hunt <ph...@apache.org> > wrote: > >>>>>>>>> > >>>>>>>>> My understanding, I thought the rule was to backport any patch to > >> all > >>>>> of > >>>>>>>>> the active releases unless it's a new feature. Perhaps ask the > >> folks > >>>>> who > >>>>>>>>> committed? > >>>>>>>>> > >>>>>>>>> Patrick > >>>>>>>>> > >>>>>>>>> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org> > >>>>> wrote: > >>>>>>>>> > >>>>>>>>>> Hi folks, > >>>>>>>>>> > >>>>>>>>>> Currently I’m working on some backports, because OWASP reports > >> CVEs > >>>>> on > >>>>>>> the > >>>>>>>>>> 3.8 branch and noticed in the PRs that we should only upgrade > >> logback > >>>>>>> on > >>>>>>>>>> the master branch. Why is that? > >>>>>>>>>> > >>>>>>>>>> logback-core-1.2.13.jar > >> (pkg:maven/ch.qos.logback/logback-core@1.2.13 > >>>>> , > >>>>>>>>>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, > >>>>>>> CVE-2024-12801 > >>>>>>>>>> > >>>>>>>>>> Regards, > >>>>>>>>>> Andor > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>> > >>>>> > >> > >> > >
