Sorry for missing the notification. I did an rc1 but totally missed one CVE
and only realized when doing my final checks. So I will have an rc2 instead
shortly.
- Norbert
On Tue, Jan 5, 2021 at 5:23 PM Enrico Olivelli wrote:
> Il giorno mar 5 gen 2021 alle ore 15:48 Norbert Kalmar
> ha
Il giorno mar 5 gen 2021 alle ore 15:48 Norbert Kalmar
ha scritto:
> It failed due to the CVE, and the fix was not a clean cherry-pick to 3.5.
>
Thank you Norbert,
I didn't find any official "CANCELLED" response.
no hurry
Enrico
> Then Holidays hit, and I didn't do RC2. Picking it up now,
It failed due to the CVE, and the fix was not a clean cherry-pick to 3.5.
Then Holidays hit, and I didn't do RC2. Picking it up now, and checking
what needs to be backported and doing an RC2.
- Norbert
On Tue, Jan 5, 2021 at 12:26 PM Enrico Olivelli wrote:
> What's the status of this VOTE ?
>
What's the status of this VOTE ?
Enrico
Il giorno mar 8 dic 2020 alle ore 21:28 Damien Diederen <
ddiede...@sinenomine.net> ha scritto:
>
> Hi Andor,
>
> > Is this not the same Jar that I’ve upgraded recently, because of a CVE?
>
> It is. You updated it for CVE-2020-27216, and this is now for
Hi Andor,
> Is this not the same Jar that I’ve upgraded recently, because of a CVE?
It is. You updated it for CVE-2020-27216, and this is now for
CVE-2020-27218!
Cheers, -D
>> On 2020. Dec 5., at 22:03, Patrick Hunt wrote:
>>
>> Thanks Damien! I reviewed and it looks good except for
Is this not the same Jar that I’ve upgraded recently, because of a CVE?
Andor
> On 2020. Dec 5., at 22:03, Patrick Hunt wrote:
>
> Thanks Damien! I reviewed and it looks good except for one small comment I
> hope we can also address (commented on PR).
>
> Regards,
>
> Patrick
>
> On Sat,
Thanks Damien! I reviewed and it looks good except for one small comment I
hope we can also address (commented on PR).
Regards,
Patrick
On Sat, Dec 5, 2020 at 12:05 PM Damien Diederen
wrote:
>
> Hi Patrick, all,
>
> > -1 - the dependency check is failing with a known CVE
> >
> > $ mvn clean
Hi Patrick, all,
> -1 - the dependency check is failing with a known CVE
>
> $ mvn clean package -DskipTests dependency-check:check
> ...
> [ERROR] One or more dependencies were identified with vulnerabilities that
> have a CVSS score greater than or equal to '0.0':
> [ERROR]
> [ERROR]
More minor: I notice that
./zookeeper-server/src/main/resources/lib/jetty-client-9.4.34.v20201102.LICENSE.txt
is included in the release even though the jar is no longer used. It should
be removed.
Regards,
Patrick
On Fri, Dec 4, 2020 at 1:53 PM Patrick Hunt wrote:
> -1 - the dependency
-1 - the dependency check is failing with a known CVE
$ mvn clean package -DskipTests dependency-check:check
...
[ERROR] One or more dependencies were identified with vulnerabilities that
have a CVSS score greater than or equal to '0.0':
[ERROR]
[ERROR] jetty-server-9.4.34.v20201102.jar:
Thank you all for the review.
Damien: I don't think jenkins jira's are even worth noting in release
notes, but the other 2 is of a bigger interest.
ZOOKEEPER-1634 - the jira is missing any 3.5 fix tag. I can fix it in the
jira, but I wouldn't do a new rc to have it in releasenotes.
Now the
+1 (non-binding)
- I built the source code (-Pfull-build) in docker on Ubuntu 16.04.6 using
OpenJDK 8u275 and maven 3.3.9.
- all the unit tests passed (Java and C-client).
- I also built zkpython
- checkstyle and spotbugs passed
- apache-rat passed
- owasp (CVE check) passed
The only issue I
Thank you, Norbert!
I went through the motions a bit more carefully than usual in
preparation for the upcoming 3.7.0 job, which I am planning to start
soon, but probably after you finalize this release.
+1 (advisory)
* Verified signatures and checksums;
* Built and tested on Ubuntu
+1 (binding)
- verified signatures and checksums
- run smoke tests with server binaries on Linux Fedora (with JDK15)
- built with JDK8 and run tests (even C-client)
- verified rat and checkstyle
- checked license files
- run thru the release notes
We have still a few inconsistencies in the way we
This is a bugfix release candidate for 3.5.9. It contains 24 fixes,
including 2 CVE fix.
The full release notes is available at:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12348201
*** Please download, test and vote by December 4th 2020, 23:59 UTC+0. ***
Source
15 matches
Mail list logo
