Maybe the slf4j upgrade (1.7.30 -> 2.0.13) has higher impact, because it’s a major upgrade. Logback is just an example of how to do logging with ZooKeeper real life setups probably replace it with something else like log4j2. The logging facade (slf4j) could have bw incompatible changes that will force users to make changes related to logging on their classpath.
I’m speculating and haven’t checked slf4j for details. Andor > On Aug 6, 2025, at 16:46, Patrick Hunt <ph...@apache.org> wrote: > > Is the only problem the minor "semantic" upgrade of logback in a fix > release of zk? That should be stable (contract wise) on the dependency, > right? Or is there some real impact, eg b/w incompat change visible to ZK > users? If the former that seems fine, if the latter then we have a harder > problem to address. (security issue breaking b/w compat) > > Patrick > > On Wed, Aug 6, 2025 at 2:36 PM Andor Molnar <an...@apache.org> wrote: > >> Sorry for the confusion, I picked 3.8 as an example, but logback/slf4j >> upgrades haven’t been backported to 3.9 either. Therefore I created the >> following backport PR: >> >> https://github.com/apache/zookeeper/pull/2290 >> >> >>> "Why would they be applied to master and not to any active (release) >> line? >> >> Since we’ve already released 3.9.3 with logback 1.2.13 and don’t want >> users to realize 1.2->1.3 logback upgrade in a 3.9.3->3.9.4 ZooKeeper >> upgrade process, although this upgrade is necessary anyways to address the >> CVE in question. >> >> (in my understanding) >> >> Andor >> >> >> >> >>> On Aug 6, 2025, at 15:34, Patrick Hunt <ph...@apache.org> wrote: >>> >>> I'm confused - this thread started with "OWASP reports CVEs on the 3.8 >>> branch and noticed in the PRs that we should only upgrade logback on the >>> master branch" - I read that as "some fixes on 3.9 are not backported to >>> 3.8". But you are saying that this is not fixed (still owasp warnings) on >>> 3.9 which is separate from master? Why would they be applied to master >> and >>> not to any active (release) line? What is the impact of the changes on >>> master and 3.9? iiuc there are backward incompatible changes if applied >> to >>> 3.8? There should not be b/w incompatible changes applied to any 3.x >> (incl >>> master, a future 3.x...) release. >>> >>> Patrick >>> >>> On Wed, Aug 6, 2025 at 1:16 PM Andor Molnar <an...@apache.org> wrote: >>> >>>> Yeah, that would remove the burden of maintaining the 3.8 version line, >>>> but 3.9.x versions still don’t have logback and slf4j upgraded, still >>>> flagged by the Owasp build and users will probably still complain about >>>> CVEs. >>>> >>>> My question is what should we do on branches other than the master? >>>> >>>> 1. Backport logback and slf4j upgrades from master, or >>>> 2. Add Owasp suppression rule to skip checking these libraries >> completely. >>>> >>>> I need to answer this question before going forward with the 3.9.4 >> release. >>>> >>>> Regards, >>>> Andor >>>> >>>> >>>> >>>>> On Aug 6, 2025, at 13:39, Christopher <ctubb...@apache.org> wrote: >>>>> >>>>> +1 to that idea. >>>>> >>>>> The releases page[1] says "Apache ZooKeeper 3.9.3 is our current >>>>> release, and 3.8.4 our latest stable release". Is 3.9 sufficiently >>>>> stable to replace 3.8 as the current "stable"? If the answer is yes, >>>>> then I think it makes sense to EOL 3.8. >>>>> >>>>> [1]: https://zookeeper.apache.org/releases.html#download >>>>> >>>>> On Mon, Aug 4, 2025 at 2:52 PM Patrick Hunt <ph...@apache.org> wrote: >>>>>> >>>>>> Should we sunset that minor release due to the "unfixable" security >>>> issue >>>>>> and EOL of dependenc(ies)? >>>>>> >>>>>> Patrick >>>>>> >>>>>> On Mon, Aug 4, 2025 at 10:03 AM Andor Molnar <an...@apache.org> >> wrote: >>>>>> >>>>>>> Yeah, I agree with that, but we can’t leave things here just like >> that. >>>>>>> Either we should keep updating the logging libraries on all active >>>> branches >>>>>>> or add the necessary suppression to Owasp. Otherwise the report >> result >>>> will >>>>>>> be completely meaningless. >>>>>>> >>>>>>> Andor >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Aug 4, 2025, at 08:21, Christopher <ctubb...@apache.org> wrote: >>>>>>>> >>>>>>>> Yes, that is basically my concern. I commented at >>>>>>>> >> https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665 >>>>>>>> >>>>>>>> On Fri, Aug 1, 2025, 18:43 Andor Molnar <an...@apache.org> wrote: >>>>>>>> >>>>>>>>> Christopher raised concern about it in >>>>>>>>> >>>>>>>>> >>>>>>> >>>> >> https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 >>>>>>>>> >>>>>>>>> I suspect because SLF4j has to be major upgraded with logback 1.x >> -> >>>> 2.x >>>>>>>>> which should not be done in bugfix releases. >>>>>>>>> >>>>>>>>> I’m not sure. Maybe we should just add another Owasp suppression, >> but >>>>>>> that >>>>>>>>> wouldn’t be appropriate either. >>>>>>>>> >>>>>>>>> Andor >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Jul 30, 2025, at 18:39, Andor Molnar <an...@apache.org> wrote: >>>>>>>>>> >>>>>>>>>> That’s my understanding too, but looks like folks skipped even the >>>> 3.9 >>>>>>>>> backport in the case of logback. >>>>>>>>>> >>>>>>>>>> Andor >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> On Jul 30, 2025, at 16:36, Patrick Hunt <ph...@apache.org> >> wrote: >>>>>>>>>>> >>>>>>>>>>> My understanding, I thought the rule was to backport any patch to >>>> all >>>>>>> of >>>>>>>>>>> the active releases unless it's a new feature. Perhaps ask the >>>> folks >>>>>>> who >>>>>>>>>>> committed? >>>>>>>>>>> >>>>>>>>>>> Patrick >>>>>>>>>>> >>>>>>>>>>> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org> >>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi folks, >>>>>>>>>>>> >>>>>>>>>>>> Currently I’m working on some backports, because OWASP reports >>>> CVEs >>>>>>> on >>>>>>>>> the >>>>>>>>>>>> 3.8 branch and noticed in the PRs that we should only upgrade >>>> logback >>>>>>>>> on >>>>>>>>>>>> the master branch. Why is that? >>>>>>>>>>>> >>>>>>>>>>>> logback-core-1.2.13.jar >>>> (pkg:maven/ch.qos.logback/logback-core@1.2.13 >>>>>>> , >>>>>>>>>>>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, >>>>>>>>> CVE-2024-12801 >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> Andor >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> >>>>>>> >>>> >>>> >> >>
