I cannot upgrade logback without upgrading slf4j as well. Build fails.
> On Aug 6, 2025, at 17:07, Patrick Hunt <ph...@apache.org> wrote: > > Is slf4j really needed for security? > > Only cve I see here is from 2018... > https://www.slf4j.org/news.html > > Should we revert the slf4j change in its entirety/all branches until it can > be made in a b/w compatible way? > > Patrick > > On Wed, Aug 6, 2025 at 2:59 PM Andor Molnar <an...@apache.org> wrote: > >> Maybe the slf4j upgrade (1.7.30 -> 2.0.13) has higher impact, because it’s >> a major upgrade. Logback is just an example of how to do logging with >> ZooKeeper real life setups probably replace it with something else like >> log4j2. The logging facade (slf4j) could have bw incompatible changes that >> will force users to make changes related to logging on their classpath. >> >> I’m speculating and haven’t checked slf4j for details. >> >> Andor >> >> >> >>> On Aug 6, 2025, at 16:46, Patrick Hunt <ph...@apache.org> wrote: >>> >>> Is the only problem the minor "semantic" upgrade of logback in a fix >>> release of zk? That should be stable (contract wise) on the dependency, >>> right? Or is there some real impact, eg b/w incompat change visible to ZK >>> users? If the former that seems fine, if the latter then we have a harder >>> problem to address. (security issue breaking b/w compat) >>> >>> Patrick >>> >>> On Wed, Aug 6, 2025 at 2:36 PM Andor Molnar <an...@apache.org> wrote: >>> >>>> Sorry for the confusion, I picked 3.8 as an example, but logback/slf4j >>>> upgrades haven’t been backported to 3.9 either. Therefore I created the >>>> following backport PR: >>>> >>>> https://github.com/apache/zookeeper/pull/2290 >>>> >>>> >>>>> "Why would they be applied to master and not to any active (release) >>>> line? >>>> >>>> Since we’ve already released 3.9.3 with logback 1.2.13 and don’t want >>>> users to realize 1.2->1.3 logback upgrade in a 3.9.3->3.9.4 ZooKeeper >>>> upgrade process, although this upgrade is necessary anyways to address >> the >>>> CVE in question. >>>> >>>> (in my understanding) >>>> >>>> Andor >>>> >>>> >>>> >>>> >>>>> On Aug 6, 2025, at 15:34, Patrick Hunt <ph...@apache.org> wrote: >>>>> >>>>> I'm confused - this thread started with "OWASP reports CVEs on the 3.8 >>>>> branch and noticed in the PRs that we should only upgrade logback on >> the >>>>> master branch" - I read that as "some fixes on 3.9 are not backported >> to >>>>> 3.8". But you are saying that this is not fixed (still owasp warnings) >> on >>>>> 3.9 which is separate from master? Why would they be applied to master >>>> and >>>>> not to any active (release) line? What is the impact of the changes on >>>>> master and 3.9? iiuc there are backward incompatible changes if applied >>>> to >>>>> 3.8? There should not be b/w incompatible changes applied to any 3.x >>>> (incl >>>>> master, a future 3.x...) release. >>>>> >>>>> Patrick >>>>> >>>>> On Wed, Aug 6, 2025 at 1:16 PM Andor Molnar <an...@apache.org> wrote: >>>>> >>>>>> Yeah, that would remove the burden of maintaining the 3.8 version >> line, >>>>>> but 3.9.x versions still don’t have logback and slf4j upgraded, still >>>>>> flagged by the Owasp build and users will probably still complain >> about >>>>>> CVEs. >>>>>> >>>>>> My question is what should we do on branches other than the master? >>>>>> >>>>>> 1. Backport logback and slf4j upgrades from master, or >>>>>> 2. Add Owasp suppression rule to skip checking these libraries >>>> completely. >>>>>> >>>>>> I need to answer this question before going forward with the 3.9.4 >>>> release. >>>>>> >>>>>> Regards, >>>>>> Andor >>>>>> >>>>>> >>>>>> >>>>>>> On Aug 6, 2025, at 13:39, Christopher <ctubb...@apache.org> wrote: >>>>>>> >>>>>>> +1 to that idea. >>>>>>> >>>>>>> The releases page[1] says "Apache ZooKeeper 3.9.3 is our current >>>>>>> release, and 3.8.4 our latest stable release". Is 3.9 sufficiently >>>>>>> stable to replace 3.8 as the current "stable"? If the answer is yes, >>>>>>> then I think it makes sense to EOL 3.8. >>>>>>> >>>>>>> [1]: https://zookeeper.apache.org/releases.html#download >>>>>>> >>>>>>> On Mon, Aug 4, 2025 at 2:52 PM Patrick Hunt <ph...@apache.org> >> wrote: >>>>>>>> >>>>>>>> Should we sunset that minor release due to the "unfixable" security >>>>>> issue >>>>>>>> and EOL of dependenc(ies)? >>>>>>>> >>>>>>>> Patrick >>>>>>>> >>>>>>>> On Mon, Aug 4, 2025 at 10:03 AM Andor Molnar <an...@apache.org> >>>> wrote: >>>>>>>> >>>>>>>>> Yeah, I agree with that, but we can’t leave things here just like >>>> that. >>>>>>>>> Either we should keep updating the logging libraries on all active >>>>>> branches >>>>>>>>> or add the necessary suppression to Owasp. Otherwise the report >>>> result >>>>>> will >>>>>>>>> be completely meaningless. >>>>>>>>> >>>>>>>>> Andor >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Aug 4, 2025, at 08:21, Christopher <ctubb...@apache.org> >> wrote: >>>>>>>>>> >>>>>>>>>> Yes, that is basically my concern. I commented at >>>>>>>>>> >>>> https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665 >>>>>>>>>> >>>>>>>>>> On Fri, Aug 1, 2025, 18:43 Andor Molnar <an...@apache.org> wrote: >>>>>>>>>> >>>>>>>>>>> Christopher raised concern about it in >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>> >>>> >> https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 >>>>>>>>>>> >>>>>>>>>>> I suspect because SLF4j has to be major upgraded with logback 1.x >>>> -> >>>>>> 2.x >>>>>>>>>>> which should not be done in bugfix releases. >>>>>>>>>>> >>>>>>>>>>> I’m not sure. Maybe we should just add another Owasp suppression, >>>> but >>>>>>>>> that >>>>>>>>>>> wouldn’t be appropriate either. >>>>>>>>>>> >>>>>>>>>>> Andor >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> On Jul 30, 2025, at 18:39, Andor Molnar <an...@apache.org> >> wrote: >>>>>>>>>>>> >>>>>>>>>>>> That’s my understanding too, but looks like folks skipped even >> the >>>>>> 3.9 >>>>>>>>>>> backport in the case of logback. >>>>>>>>>>>> >>>>>>>>>>>> Andor >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> On Jul 30, 2025, at 16:36, Patrick Hunt <ph...@apache.org> >>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> My understanding, I thought the rule was to backport any patch >> to >>>>>> all >>>>>>>>> of >>>>>>>>>>>>> the active releases unless it's a new feature. Perhaps ask the >>>>>> folks >>>>>>>>> who >>>>>>>>>>>>> committed? >>>>>>>>>>>>> >>>>>>>>>>>>> Patrick >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org >>> >>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi folks, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Currently I’m working on some backports, because OWASP reports >>>>>> CVEs >>>>>>>>> on >>>>>>>>>>> the >>>>>>>>>>>>>> 3.8 branch and noticed in the PRs that we should only upgrade >>>>>> logback >>>>>>>>>>> on >>>>>>>>>>>>>> the master branch. Why is that? >>>>>>>>>>>>>> >>>>>>>>>>>>>> logback-core-1.2.13.jar >>>>>> (pkg:maven/ch.qos.logback/logback-core@1.2.13 >>>>>>>>> , >>>>>>>>>>>>>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, >>>>>>>>>>> CVE-2024-12801 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>> Andor >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>> >>>>>> >>>> >>>> >> >>
