Re: Request to join slack

2023-01-09 Thread Ben Johnston 
Enrico,

Thanks for the reply!

> Those CVEs are about library upgrades.

> Can you please double check if we already upgraded those libraries?

The required fix version for netty is 4.1.86.Final. It looks like the 3.8 
branch is sitting at 4.1.7[36].Final
https://github.com/apache/zookeeper/blob/branch-3.8/pom.xml#L470
https://github.com/apache/zookeeper/blob/branch-3.8.0/pom.xml#L470

Likewise Jackson should be 2.13.2.1 but I see 2.13.1 in the 3.8 branch

> I think that it would only be a matter of cutting a release. It has been 
> quite some time that we didn't cut a release out of he 3.8 branch. We can do 
> it.

We would certainly appreciate you cutting 3.8.1

> Jackson is usually easily upgradable and Netty requires only some testing.

> If you can't wait for a release you could upgrade those libraries and build
your package

We are considering this. Thanks!

Ben

Re: Request to join slack

2023-01-06 Thread Enrico Olivelli 
Ben,

Il Gio 5 Gen 2023, 20:45 Ben Johnston  ha
scritto:

> Hello,
>
> I am an app sec engineer for a company who uses Zookeeper. I would like to
> join the slack as a guest to get some visibility on the release process,
>
We are not using slack for communication about those things.

There is a global ASF slack space, usually open only to committers +
guests, and we have a zookeeper channel. But it is only meant for informal
quick chats, like pinging someone for review.

Discussions happen here on dev@ and if you want to report a new issue you
have to use security zookeeper.apache.org that is a private list.



especially as it relates to updating library versions to fix CVEs. My team
> is tracking several CVEs
>
> CVE-2022-42003/4
> CVE-2020-36518
> CVE-2022-41915
>
> We’re on the 3.8 version. Thanks!
>
 Those CVEs are about library upgrades.

Can you please double check if we already upgraded those libraries?

I think that it would only be a matter of cutting a release. It has been
quite some time that we didn't cut a release out of the 3.8 branch. We can
do it.

Jackson is usually easily upgradable and Netty requires only some testing.

If you can't wait for a release you could upgrade those libraries and build
your package

Thanks

Enrico



>
> *Ben Johnston, GCIH, GCFA, GPEN*
>
> Application Security Engineer
>
> *COFENSE*
>
> *o.* 785-250-4412
>
> *e.* ben.johns...@cofense.com
>
>
>
> *Connect with Cofense:*
>
>
>
> [image: https://cofense.com/wp-content/uploads/2019/07/cofense.png]
> [image:
> https://cofense.com/wp-content/uploads/2019/06/fb.png]
> [image:
> https://cofense.com/wp-content/uploads/2019/06/tw.png]
> [image:
> https://cofense.com/wp-content/uploads/2019/06/li.png]
> [image:
> https://cofense.com/wp-content/uploads/2019/06/ig.png]
> [image:
> https://cofense.com/wp-content/uploads/2019/06/m.png]
> 
>
>
>
>
>
>

Request to join slack

2023-01-05 Thread Ben Johnston 
Hello,

I am an app sec engineer for a company who uses Zookeeper. I would like to join 
the slack as a guest to get some visibility on the release process, especially 
as it relates to updating library versions to fix CVEs. My team is tracking 
several CVEs

CVE-2022-42003/4
CVE-2020-36518
CVE-2022-41915

We’re on the 3.8 version. Thanks!


Ben Johnston, GCIH, GCFA, GPEN
Application Security Engineer
COFENSE
o. 785-250-4412
e. ben.johns...@cofense.com

Connect with Cofense:

[https://cofense.com/wp-content/uploads/2019/07/cofense.png][https://cofense.com/wp-content/uploads/2019/06/fb.png][https://cofense.com/wp-content/uploads/2019/06/tw.png][https://cofense.com/wp-content/uploads/2019/06/li.png][https://cofense.com/wp-content/uploads/2019/06/ig.png][https://cofense.com/wp-content/uploads/2019/06/m.png]