Hi, I'm (finally) planning to cut Jackrabbit Oak 1.22.8 on Wednesday (July 14th).
For current vulnerabilities in trunk and in this release I opened OAK-9491 [0] which will be addressed later. The candidate release notes are here [1]. Regards, Andrei [0] https://issues.apache.org/jira/browse/OAK-9491 [1] https://github.com/apache/jackrabbit-oak/blob/1.22/RELEASE-NOTES.txt On Mon, Jul 12, 2021 at 1:04 PM Julian Reschke <[email protected]> wrote: > Am 12.07.2021 um 11:16 schrieb Andrei Dulceanu: > > Hi Julian, > > > > For the time being I think OAK-9451, OAK-9473 and OAK-9401 are > sufficient. > > We can include in a later release the other candidates. Speaking of this, > > what's the situation with OAK-9038? Does it need to be backported on this > > branch? > > I do not recall to be honest. The fix was needed in trunk, so I would > assume it should be backported. > > > When it comes to dependencies for > > https://nvd.nist.gov/vuln/detail/CVE-2020-25649, I saw there's already > a PR > > for updating netty. Is there something else which think is mandatory to > go > > inside now? > > I would need to check (try "mvn > org.owasp:dependency-check-maven:6.0.0:aggregate"). > > > I don't want to rush this release, but don't want to stall it either... > > Ideally I'd cut it tomorrow or Wednesday, 14th of July. > > Ack. > > Best regards, Julian >
