I don't think the upgrade to slf4j 2 is purely a semantic one. I think there are genuine incompatibilities, but probably not too many. For example, slf4j2 drops support for Java 7 (probably not a problem for ZK, since I think Java 8 is already a requirement), and it switches the binding mechanisms, so that if somebody was using a different sfl4j runtime other than logback, then it probably won't work anymore without additional changes on the user's part.
I think the switch on 3.9 is probably okay, but users should be warned that their logging will probably break if they had used a different runtime binding for slf4j other than the logback version that ships with ZK. As for the differences between logback 1.2 and 1.3, I have no idea... it's probably fine, since ZK is mainly just using it via slf4j-api anyway, rather than using it directly, but I'd start getting concerned that 1.3 is also no longer being developed. ZK should probably get ahead of that on the master branch by requiring Java 11, and using logback 1.5 there, if it hasn't been done already. Or else this question of switching from logback 1.2 to 1.3 is going to come up again soon when there's a CVE found against 1.3 and you have to switch to 1.5 and Java 11.... certainly don't want to do that in a bugfix release from the ZK 3.9 branch. On Thu, Aug 7, 2025 at 9:41 AM Andor Molnar <an...@apache.org> wrote: > > Considering all of this I’ll upgrade logback + slf4j to 1.3/2.0 on the 3.9 > branch today and proceed with the release. 3.9 is the current release line > and I think this step is still acceptable at this stage. I won’t do the same > on the stable (3.8) branch and we should talk about EoL’ing soon in a > separate thread. > > Andor > > > > > > On Aug 6, 2025, at 19:56, Andor Molnar <an...@apache.org> wrote: > > > > "The 1.2.x series for logback-core and logback-classic has been deprecated > > for several years and is no longer maintained. As such, use of the 1.2.x > > series is discouraged.” > > > > "Logback version 1.3.15 is the latest in the 1.3.x series. It requires > > SLF4J version 2.0.x and JDK 8. Please note that the 1.3.x series is no > > loger actively developed.” > > > > "The current actively developed version of logback-core and logback-classic > > is 1.5.18. It requires JDK 11 and SLF4J version 2.0.1 at runtime.” > > > > Looks like our only option is 1.3.x, but once we drop JDK 8 support (3.10.x > > maybe?), we’ll be able to upgrade to 1.5. > > > > > > > > > >> On Aug 6, 2025, at 19:52, Andor Molnar <an...@apache.org> wrote: > >> > >> I cannot upgrade logback without upgrading slf4j as well. Build fails. > >> > >> > >> > >> > >> > >>> On Aug 6, 2025, at 17:07, Patrick Hunt <ph...@apache.org> wrote: > >>> > >>> Is slf4j really needed for security? > >>> > >>> Only cve I see here is from 2018... > >>> https://www.slf4j.org/news.html > >>> > >>> Should we revert the slf4j change in its entirety/all branches until it > >>> can > >>> be made in a b/w compatible way? > >>> > >>> Patrick > >>> > >>> On Wed, Aug 6, 2025 at 2:59 PM Andor Molnar <an...@apache.org> wrote: > >>> > >>>> Maybe the slf4j upgrade (1.7.30 -> 2.0.13) has higher impact, because > >>>> it’s > >>>> a major upgrade. Logback is just an example of how to do logging with > >>>> ZooKeeper real life setups probably replace it with something else like > >>>> log4j2. The logging facade (slf4j) could have bw incompatible changes > >>>> that > >>>> will force users to make changes related to logging on their classpath. > >>>> > >>>> I’m speculating and haven’t checked slf4j for details. > >>>> > >>>> Andor > >>>> > >>>> > >>>> > >>>>> On Aug 6, 2025, at 16:46, Patrick Hunt <ph...@apache.org> wrote: > >>>>> > >>>>> Is the only problem the minor "semantic" upgrade of logback in a fix > >>>>> release of zk? That should be stable (contract wise) on the dependency, > >>>>> right? Or is there some real impact, eg b/w incompat change visible to > >>>>> ZK > >>>>> users? If the former that seems fine, if the latter then we have a > >>>>> harder > >>>>> problem to address. (security issue breaking b/w compat) > >>>>> > >>>>> Patrick > >>>>> > >>>>> On Wed, Aug 6, 2025 at 2:36 PM Andor Molnar <an...@apache.org> wrote: > >>>>> > >>>>>> Sorry for the confusion, I picked 3.8 as an example, but logback/slf4j > >>>>>> upgrades haven’t been backported to 3.9 either. Therefore I created the > >>>>>> following backport PR: > >>>>>> > >>>>>> https://github.com/apache/zookeeper/pull/2290 > >>>>>> > >>>>>> > >>>>>>> "Why would they be applied to master and not to any active (release) > >>>>>> line? > >>>>>> > >>>>>> Since we’ve already released 3.9.3 with logback 1.2.13 and don’t want > >>>>>> users to realize 1.2->1.3 logback upgrade in a 3.9.3->3.9.4 ZooKeeper > >>>>>> upgrade process, although this upgrade is necessary anyways to address > >>>> the > >>>>>> CVE in question. > >>>>>> > >>>>>> (in my understanding) > >>>>>> > >>>>>> Andor > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>> On Aug 6, 2025, at 15:34, Patrick Hunt <ph...@apache.org> wrote: > >>>>>>> > >>>>>>> I'm confused - this thread started with "OWASP reports CVEs on the 3.8 > >>>>>>> branch and noticed in the PRs that we should only upgrade logback on > >>>> the > >>>>>>> master branch" - I read that as "some fixes on 3.9 are not backported > >>>> to > >>>>>>> 3.8". But you are saying that this is not fixed (still owasp warnings) > >>>> on > >>>>>>> 3.9 which is separate from master? Why would they be applied to master > >>>>>> and > >>>>>>> not to any active (release) line? What is the impact of the changes on > >>>>>>> master and 3.9? iiuc there are backward incompatible changes if > >>>>>>> applied > >>>>>> to > >>>>>>> 3.8? There should not be b/w incompatible changes applied to any 3.x > >>>>>> (incl > >>>>>>> master, a future 3.x...) release. > >>>>>>> > >>>>>>> Patrick > >>>>>>> > >>>>>>> On Wed, Aug 6, 2025 at 1:16 PM Andor Molnar <an...@apache.org> wrote: > >>>>>>> > >>>>>>>> Yeah, that would remove the burden of maintaining the 3.8 version > >>>> line, > >>>>>>>> but 3.9.x versions still don’t have logback and slf4j upgraded, still > >>>>>>>> flagged by the Owasp build and users will probably still complain > >>>> about > >>>>>>>> CVEs. > >>>>>>>> > >>>>>>>> My question is what should we do on branches other than the master? > >>>>>>>> > >>>>>>>> 1. Backport logback and slf4j upgrades from master, or > >>>>>>>> 2. Add Owasp suppression rule to skip checking these libraries > >>>>>> completely. > >>>>>>>> > >>>>>>>> I need to answer this question before going forward with the 3.9.4 > >>>>>> release. > >>>>>>>> > >>>>>>>> Regards, > >>>>>>>> Andor > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> On Aug 6, 2025, at 13:39, Christopher <ctubb...@apache.org> wrote: > >>>>>>>>> > >>>>>>>>> +1 to that idea. > >>>>>>>>> > >>>>>>>>> The releases page[1] says "Apache ZooKeeper 3.9.3 is our current > >>>>>>>>> release, and 3.8.4 our latest stable release". Is 3.9 sufficiently > >>>>>>>>> stable to replace 3.8 as the current "stable"? If the answer is yes, > >>>>>>>>> then I think it makes sense to EOL 3.8. > >>>>>>>>> > >>>>>>>>> [1]: https://zookeeper.apache.org/releases.html#download > >>>>>>>>> > >>>>>>>>> On Mon, Aug 4, 2025 at 2:52 PM Patrick Hunt <ph...@apache.org> > >>>> wrote: > >>>>>>>>>> > >>>>>>>>>> Should we sunset that minor release due to the "unfixable" security > >>>>>>>> issue > >>>>>>>>>> and EOL of dependenc(ies)? > >>>>>>>>>> > >>>>>>>>>> Patrick > >>>>>>>>>> > >>>>>>>>>> On Mon, Aug 4, 2025 at 10:03 AM Andor Molnar <an...@apache.org> > >>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>>> Yeah, I agree with that, but we can’t leave things here just like > >>>>>> that. > >>>>>>>>>>> Either we should keep updating the logging libraries on all active > >>>>>>>> branches > >>>>>>>>>>> or add the necessary suppression to Owasp. Otherwise the report > >>>>>> result > >>>>>>>> will > >>>>>>>>>>> be completely meaningless. > >>>>>>>>>>> > >>>>>>>>>>> Andor > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>> On Aug 4, 2025, at 08:21, Christopher <ctubb...@apache.org> > >>>> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> Yes, that is basically my concern. I commented at > >>>>>>>>>>>> > >>>>>> https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665 > >>>>>>>>>>>> > >>>>>>>>>>>> On Fri, Aug 1, 2025, 18:43 Andor Molnar <an...@apache.org> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>>> Christopher raised concern about it in > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>> > >>>>>> > >>>> https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 > >>>>>>>>>>>>> > >>>>>>>>>>>>> I suspect because SLF4j has to be major upgraded with logback > >>>>>>>>>>>>> 1.x > >>>>>> -> > >>>>>>>> 2.x > >>>>>>>>>>>>> which should not be done in bugfix releases. > >>>>>>>>>>>>> > >>>>>>>>>>>>> I’m not sure. Maybe we should just add another Owasp > >>>>>>>>>>>>> suppression, > >>>>>> but > >>>>>>>>>>> that > >>>>>>>>>>>>> wouldn’t be appropriate either. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Andor > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>>> On Jul 30, 2025, at 18:39, Andor Molnar <an...@apache.org> > >>>> wrote: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> That’s my understanding too, but looks like folks skipped even > >>>> the > >>>>>>>> 3.9 > >>>>>>>>>>>>> backport in the case of logback. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Andor > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> On Jul 30, 2025, at 16:36, Patrick Hunt <ph...@apache.org> > >>>>>> wrote: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> My understanding, I thought the rule was to backport any patch > >>>> to > >>>>>>>> all > >>>>>>>>>>> of > >>>>>>>>>>>>>>> the active releases unless it's a new feature. Perhaps ask the > >>>>>>>> folks > >>>>>>>>>>> who > >>>>>>>>>>>>>>> committed? > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Patrick > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org > >>>>> > >>>>>>>>>>> wrote: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Hi folks, > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Currently I’m working on some backports, because OWASP > >>>>>>>>>>>>>>>> reports > >>>>>>>> CVEs > >>>>>>>>>>> on > >>>>>>>>>>>>> the > >>>>>>>>>>>>>>>> 3.8 branch and noticed in the PRs that we should only upgrade > >>>>>>>> logback > >>>>>>>>>>>>> on > >>>>>>>>>>>>>>>> the master branch. Why is that? > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> logback-core-1.2.13.jar > >>>>>>>> (pkg:maven/ch.qos.logback/logback-core@1.2.13 > >>>>>>>>>>> , > >>>>>>>>>>>>>>>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, > >>>>>>>>>>>>> CVE-2024-12801 > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Regards, > >>>>>>>>>>>>>>>> Andor > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>> > >>>>>> > >>>> > >>>> > >> > > >
