[
https://issues.apache.org/jira/browse/ZOOKEEPER-4543?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17564813#comment-17564813
]
Mate Szalay-Beko commented on ZOOKEEPER-4543:
---------------------------------------------
it was merged
([https://github.com/apache/zookeeper/commit/c73797e15204f6f30ce861e19c9c6cea9ca52e95)]
but the CLI PR merge script doesn't close the PR for some reason, unless it
was opened against the `master` branch. I'm not sure if this is a limntation of
the script or if this is some github limitation... anyway, I closed the PR
manually.
> upgrade dependencies on branch-3.5 to avoid CVEs
> ------------------------------------------------
>
> Key: ZOOKEEPER-4543
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4543
> Project: ZooKeeper
> Issue Type: Task
> Affects Versions: 3.5.9
> Reporter: Mate Szalay-Beko
> Assignee: Mate Szalay-Beko
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.5.10
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> The aim of this ticket to fix all CVEs on branch-3.5 before the last 3.5.10
> release.
> branch-3.5 is quite outdated when it comes to CVE fixes. I already backported
> ZOOKEEPER-4455 (remove log4j and add reload4j) but other dependencies are
> also outdated. Most probably the dependency plugin also needs to be updated
> to avoid the netty-transport related false-positive CVEs.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
