Considering all of this I’ll upgrade logback + slf4j to 1.3/2.0 on the 3.9 branch today and proceed with the release. 3.9 is the current release line and I think this step is still acceptable at this stage. I won’t do the same on the stable (3.8) branch and we should talk about EoL’ing soon in a separate thread.
Andor > On Aug 6, 2025, at 19:56, Andor Molnar <an...@apache.org> wrote: > > "The 1.2.x series for logback-core and logback-classic has been deprecated > for several years and is no longer maintained. As such, use of the 1.2.x > series is discouraged.” > > "Logback version 1.3.15 is the latest in the 1.3.x series. It requires SLF4J > version 2.0.x and JDK 8. Please note that the 1.3.x series is no loger > actively developed.” > > "The current actively developed version of logback-core and logback-classic > is 1.5.18. It requires JDK 11 and SLF4J version 2.0.1 at runtime.” > > Looks like our only option is 1.3.x, but once we drop JDK 8 support (3.10.x > maybe?), we’ll be able to upgrade to 1.5. > > > > >> On Aug 6, 2025, at 19:52, Andor Molnar <an...@apache.org> wrote: >> >> I cannot upgrade logback without upgrading slf4j as well. Build fails. >> >> >> >> >> >>> On Aug 6, 2025, at 17:07, Patrick Hunt <ph...@apache.org> wrote: >>> >>> Is slf4j really needed for security? >>> >>> Only cve I see here is from 2018... >>> https://www.slf4j.org/news.html >>> >>> Should we revert the slf4j change in its entirety/all branches until it can >>> be made in a b/w compatible way? >>> >>> Patrick >>> >>> On Wed, Aug 6, 2025 at 2:59 PM Andor Molnar <an...@apache.org> wrote: >>> >>>> Maybe the slf4j upgrade (1.7.30 -> 2.0.13) has higher impact, because it’s >>>> a major upgrade. Logback is just an example of how to do logging with >>>> ZooKeeper real life setups probably replace it with something else like >>>> log4j2. The logging facade (slf4j) could have bw incompatible changes that >>>> will force users to make changes related to logging on their classpath. >>>> >>>> I’m speculating and haven’t checked slf4j for details. >>>> >>>> Andor >>>> >>>> >>>> >>>>> On Aug 6, 2025, at 16:46, Patrick Hunt <ph...@apache.org> wrote: >>>>> >>>>> Is the only problem the minor "semantic" upgrade of logback in a fix >>>>> release of zk? That should be stable (contract wise) on the dependency, >>>>> right? Or is there some real impact, eg b/w incompat change visible to ZK >>>>> users? If the former that seems fine, if the latter then we have a harder >>>>> problem to address. (security issue breaking b/w compat) >>>>> >>>>> Patrick >>>>> >>>>> On Wed, Aug 6, 2025 at 2:36 PM Andor Molnar <an...@apache.org> wrote: >>>>> >>>>>> Sorry for the confusion, I picked 3.8 as an example, but logback/slf4j >>>>>> upgrades haven’t been backported to 3.9 either. Therefore I created the >>>>>> following backport PR: >>>>>> >>>>>> https://github.com/apache/zookeeper/pull/2290 >>>>>> >>>>>> >>>>>>> "Why would they be applied to master and not to any active (release) >>>>>> line? >>>>>> >>>>>> Since we’ve already released 3.9.3 with logback 1.2.13 and don’t want >>>>>> users to realize 1.2->1.3 logback upgrade in a 3.9.3->3.9.4 ZooKeeper >>>>>> upgrade process, although this upgrade is necessary anyways to address >>>> the >>>>>> CVE in question. >>>>>> >>>>>> (in my understanding) >>>>>> >>>>>> Andor >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On Aug 6, 2025, at 15:34, Patrick Hunt <ph...@apache.org> wrote: >>>>>>> >>>>>>> I'm confused - this thread started with "OWASP reports CVEs on the 3.8 >>>>>>> branch and noticed in the PRs that we should only upgrade logback on >>>> the >>>>>>> master branch" - I read that as "some fixes on 3.9 are not backported >>>> to >>>>>>> 3.8". But you are saying that this is not fixed (still owasp warnings) >>>> on >>>>>>> 3.9 which is separate from master? Why would they be applied to master >>>>>> and >>>>>>> not to any active (release) line? What is the impact of the changes on >>>>>>> master and 3.9? iiuc there are backward incompatible changes if applied >>>>>> to >>>>>>> 3.8? There should not be b/w incompatible changes applied to any 3.x >>>>>> (incl >>>>>>> master, a future 3.x...) release. >>>>>>> >>>>>>> Patrick >>>>>>> >>>>>>> On Wed, Aug 6, 2025 at 1:16 PM Andor Molnar <an...@apache.org> wrote: >>>>>>> >>>>>>>> Yeah, that would remove the burden of maintaining the 3.8 version >>>> line, >>>>>>>> but 3.9.x versions still don’t have logback and slf4j upgraded, still >>>>>>>> flagged by the Owasp build and users will probably still complain >>>> about >>>>>>>> CVEs. >>>>>>>> >>>>>>>> My question is what should we do on branches other than the master? >>>>>>>> >>>>>>>> 1. Backport logback and slf4j upgrades from master, or >>>>>>>> 2. Add Owasp suppression rule to skip checking these libraries >>>>>> completely. >>>>>>>> >>>>>>>> I need to answer this question before going forward with the 3.9.4 >>>>>> release. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Andor >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Aug 6, 2025, at 13:39, Christopher <ctubb...@apache.org> wrote: >>>>>>>>> >>>>>>>>> +1 to that idea. >>>>>>>>> >>>>>>>>> The releases page[1] says "Apache ZooKeeper 3.9.3 is our current >>>>>>>>> release, and 3.8.4 our latest stable release". Is 3.9 sufficiently >>>>>>>>> stable to replace 3.8 as the current "stable"? If the answer is yes, >>>>>>>>> then I think it makes sense to EOL 3.8. >>>>>>>>> >>>>>>>>> [1]: https://zookeeper.apache.org/releases.html#download >>>>>>>>> >>>>>>>>> On Mon, Aug 4, 2025 at 2:52 PM Patrick Hunt <ph...@apache.org> >>>> wrote: >>>>>>>>>> >>>>>>>>>> Should we sunset that minor release due to the "unfixable" security >>>>>>>> issue >>>>>>>>>> and EOL of dependenc(ies)? >>>>>>>>>> >>>>>>>>>> Patrick >>>>>>>>>> >>>>>>>>>> On Mon, Aug 4, 2025 at 10:03 AM Andor Molnar <an...@apache.org> >>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Yeah, I agree with that, but we can’t leave things here just like >>>>>> that. >>>>>>>>>>> Either we should keep updating the logging libraries on all active >>>>>>>> branches >>>>>>>>>>> or add the necessary suppression to Owasp. Otherwise the report >>>>>> result >>>>>>>> will >>>>>>>>>>> be completely meaningless. >>>>>>>>>>> >>>>>>>>>>> Andor >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> On Aug 4, 2025, at 08:21, Christopher <ctubb...@apache.org> >>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Yes, that is basically my concern. I commented at >>>>>>>>>>>> >>>>>> https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665 >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Aug 1, 2025, 18:43 Andor Molnar <an...@apache.org> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Christopher raised concern about it in >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>> >>>>>> >>>> https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 >>>>>>>>>>>>> >>>>>>>>>>>>> I suspect because SLF4j has to be major upgraded with logback 1.x >>>>>> -> >>>>>>>> 2.x >>>>>>>>>>>>> which should not be done in bugfix releases. >>>>>>>>>>>>> >>>>>>>>>>>>> I’m not sure. Maybe we should just add another Owasp suppression, >>>>>> but >>>>>>>>>>> that >>>>>>>>>>>>> wouldn’t be appropriate either. >>>>>>>>>>>>> >>>>>>>>>>>>> Andor >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> On Jul 30, 2025, at 18:39, Andor Molnar <an...@apache.org> >>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> That’s my understanding too, but looks like folks skipped even >>>> the >>>>>>>> 3.9 >>>>>>>>>>>>> backport in the case of logback. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Andor >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Jul 30, 2025, at 16:36, Patrick Hunt <ph...@apache.org> >>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> My understanding, I thought the rule was to backport any patch >>>> to >>>>>>>> all >>>>>>>>>>> of >>>>>>>>>>>>>>> the active releases unless it's a new feature. Perhaps ask the >>>>>>>> folks >>>>>>>>>>> who >>>>>>>>>>>>>>> committed? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Patrick >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org >>>>> >>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi folks, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Currently I’m working on some backports, because OWASP reports >>>>>>>> CVEs >>>>>>>>>>> on >>>>>>>>>>>>> the >>>>>>>>>>>>>>>> 3.8 branch and noticed in the PRs that we should only upgrade >>>>>>>> logback >>>>>>>>>>>>> on >>>>>>>>>>>>>>>> the master branch. Why is that? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> logback-core-1.2.13.jar >>>>>>>> (pkg:maven/ch.qos.logback/logback-core@1.2.13 >>>>>>>>>>> , >>>>>>>>>>>>>>>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, >>>>>>>>>>>>> CVE-2024-12801 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>>> Andor >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>>>> >>>> >>>> >> >
