[jira] [Resolved] (ZOOKEEPER-4805) Update cwiki page with latest changes
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4805?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Szucs Villo resolved ZOOKEEPER-4805. Resolution: Fixed > Update cwiki page with latest changes > - > > Key: ZOOKEEPER-4805 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4805 > Project: ZooKeeper > Issue Type: Sub-task > Components: documentation >Reporter: Andor Molnar >Assignee: Szucs Villo >Priority: Major > > Update the following wiki page with latest changes and instructions how to > use the script: > [https://cwiki.apache.org/confluence/display/ZOOKEEPER/Merging+Github+Pull+Requests] > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (ZOOKEEPER-4784) Token based ASF JIRA authentication
Szucs Villo created ZOOKEEPER-4784: -- Summary: Token based ASF JIRA authentication Key: ZOOKEEPER-4784 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4784 Project: ZooKeeper Issue Type: Sub-task Components: tools Reporter: Szucs Villo Assignee: Szucs Villo https://issues.apache.org/jira/browse/SPARK-44802 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (ZOOKEEPER-4756) Merge script should use GitHub api to merge pull requests
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Szucs Villo reassigned ZOOKEEPER-4756: -- Assignee: Szucs Villo > Merge script should use GitHub api to merge pull requests > - > > Key: ZOOKEEPER-4756 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4756 > Project: ZooKeeper > Issue Type: Improvement > Components: tools >Affects Versions: 3.9.0 >Reporter: Andor Molnar >Assignee: Szucs Villo >Priority: Major > Labels: github-pullrequest, merge > > Github merge script (zk-merge-pr.py) is a nice tool which does a lot of > housekeeping tasks when merging a PR including fixing the commit message or > closing the Jira. Merging on the Github UI is also possible, but could lead > to mistakes like leaving the commit message without the Jira id. > Unfortunately when the script merges the PR it does that without Github and > leaving the PR in 'Closed' rather than 'Merged'. This is misleading. Let's > improve the script to use Github API for merging PRs and possibly disable > merging on the Github UI. > Email thread: > [https://lists.apache.org/thread/cbmktklydtlylkybvq6jrx5m4l8b2cm5] > > A few enhancements to the script by the Spark team since we ported it. Might > be useful to backport some of these too: > SPARK-44972 Eagerly check if the token is valid to align with the behavior of > username/password auth > SPARK-45008 Improve branch suggestion for backporting > SPARK-45031 Choose the right merge code path and merge hash for reopened PRs > SPARK-45007 fix merged pull requests resolution > SPARK-44813 The JIRA Python misses our assignee when it searches user again > SPARK-44944 Auto grant contributor role to first-time contributors > SPARK-44875 commentor to commenter in merge script > SPARK-44760 Index Out Of Bound for JIRA resolution in merge_spark_pr > SPARK-44802 Token based ASF JIRA authentication -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ZOOKEEPER-4696) Update for Zookeeper latest version
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17728239#comment-17728239 ] Szucs Villo commented on ZOOKEEPER-4696: There are 3 CVEs in the branch-3.8.1: [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) [ERROR] jetty-io-9.4.49.v20220914.jar: CVE-2023-26048(5.3), CVE-2023-26049(5.3) [ERROR] jetty-server-9.4.49.v20220914.jar: CVE-2023-26048(5.3), CVE-2023-26049(5.3) I think CVE-2022-45688 is false positive. ([https://github.com/jeremylong/DependencyCheck/actions/runs/5126385253]) CVE-2023-26048(5.3) and CVE-2023-26049(5.3) are tracked here: https://issues.apache.org/jira/browse/ZOOKEEPER-4700. > Update for Zookeeper latest version > > > Key: ZOOKEEPER-4696 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4696 > Project: ZooKeeper > Issue Type: Bug > Components: security, server >Affects Versions: 3.8.0 >Reporter: Dilip anand >Assignee: Szucs Villo >Priority: Critical > Labels: CVE > > Hi team, > We ran a scan for security vulnerability fixes,we have seen CVE's that > are affected for zookeeper and version of zookeeper we are using is 3.8.0 > .Here are the CVE's which are affected with zookeeper > CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE-2022-22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE-2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023-23916 > which do not have any reports in red hat website. we want to know what > version of zookeeper will clear these CVEs and when it'll be released? > Regards, > Dilip -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (ZOOKEEPER-4696) Update for Zookeeper latest version
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17727562#comment-17727562 ] Szucs Villo edited comment on ZOOKEEPER-4696 at 5/31/23 2:08 PM: - I started working on the patch. -I think we need to upgrade the main version of Jetty because all of the 9.4-based versions have CVE problems. See here: [https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server]. We should upgrade Jetty to 11.0.15, which is the latest version. For this, we need quite a few code changes because of the deprecated methods and classes.- [-https://www.eclipse.org/jetty/javadoc/jetty-10/deprecated-list.html-] was (Author: JIRAUSER294755): I started working on the patch. I think we need to upgrade the main version of Jetty because all of the 9.4-based versions have CVE problems. See here: [https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server]. We should upgrade Jetty to 11.0.15, which is the latest version. For this, we need quite a few code changes because of the deprecated methods and classes. [https://www.eclipse.org/jetty/javadoc/jetty-10/deprecated-list.html] > Update for Zookeeper latest version > > > Key: ZOOKEEPER-4696 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4696 > Project: ZooKeeper > Issue Type: Bug > Components: security, server >Affects Versions: 3.8.0 >Reporter: Dilip anand >Assignee: Szucs Villo >Priority: Critical > Labels: CVE > > Hi team, > We ran a scan for security vulnerability fixes,we have seen CVE's that > are affected for zookeeper and version of zookeeper we are using is 3.8.0 > .Here are the CVE's which are affected with zookeeper > CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE-2022-22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE-2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023-23916 > which do not have any reports in red hat website. we want to know what > version of zookeeper will clear these CVEs and when it'll be released? > Regards, > Dilip -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (ZOOKEEPER-4700) Update Jetty for fixing CVE-2023-26048 and CVE-2023-26049
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Szucs Villo reassigned ZOOKEEPER-4700: -- Assignee: Szucs Villo > Update Jetty for fixing CVE-2023-26048 and CVE-2023-26049 > - > > Key: ZOOKEEPER-4700 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4700 > Project: ZooKeeper > Issue Type: Task >Affects Versions: 3.8.1 >Reporter: Beltran >Assignee: Szucs Villo >Priority: Major > > The Zookeeper latest version (v3.8.1) includes > jetty-server-9.4.49.v20220914.jar that includes 2 vulnerabilities reported by > the scanners: CVE-2023-26048 and CVE-2023-26049. > The goal is to upgrade jetty to 9.4.51. This dependency was already upgraded > in Kafka KAFKA-14983. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ZOOKEEPER-4696) Update for Zookeeper latest version
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17727562#comment-17727562 ] Szucs Villo commented on ZOOKEEPER-4696: I started working on the patch. I think we need to upgrade the main version of Jetty because all of the 9.4-based versions have CVE problems. See here: [https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server]. We should upgrade Jetty to 11.0.15, which is the latest version. For this, we need quite a few code changes because of the deprecated methods and classes. [https://www.eclipse.org/jetty/javadoc/jetty-10/deprecated-list.html] > Update for Zookeeper latest version > > > Key: ZOOKEEPER-4696 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4696 > Project: ZooKeeper > Issue Type: Bug > Components: security, server >Affects Versions: 3.8.0 >Reporter: Dilip anand >Assignee: Szucs Villo >Priority: Critical > Labels: CVE > > Hi team, > We ran a scan for security vulnerability fixes,we have seen CVE's that > are affected for zookeeper and version of zookeeper we are using is 3.8.0 > .Here are the CVE's which are affected with zookeeper > CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE-2022-22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE-2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023-23916 > which do not have any reports in red hat website. we want to know what > version of zookeeper will clear these CVEs and when it'll be released? > Regards, > Dilip -- This message was sent by Atlassian Jira (v8.20.10#820010)