[bookkeeper] branch master updated: Release note for 4.14.2 (#2765)

Sun, 05 Sep 2021 18:06:59 -0700 

This is an automated email from the ASF dual-hosted git repository.

yong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git


The following commit(s) were added to refs/heads/master by this push:
     new 7c74fbb  Release note for 4.14.2 (#2765)
7c74fbb is described below

commit 7c74fbbd3614ba7042d55490332d0912c62d4bfc
Author: Yong Zhang <[email protected]>
AuthorDate: Mon Sep 6 09:06:46 2021 +0800

    Release note for 4.14.2 (#2765)
    
    * Release note for 4.14.2
    ---
    
    *Motivation*
    
    Rlease note update for 4.14.2
---
 site/docs/4.14.2/overview/releaseNotes.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/site/docs/4.14.2/overview/releaseNotes.md 
b/site/docs/4.14.2/overview/releaseNotes.md
index a6181ff..de69f2b 100644
--- a/site/docs/4.14.2/overview/releaseNotes.md
+++ b/site/docs/4.14.2/overview/releaseNotes.md
@@ -20,6 +20,22 @@ The technical details of this release are summarized below.
 
   The current libthrift version 0.12.0 has multiple vulnerabilities: 
CVE-2019-0205 , CVE-2019-0210 , CVE-2020-13949
 
+- [https://github.com/apache/bookkeeper/pull/2735] Exclude grpc-okhttp 
dependency
+
+  The okhttp dependency version 2.7.4 is old and vulnerable. This dependency 
isn't needed and it causes Bookkeeper to be flagged for security 
vulnerabilities.
+
+- [https://github.com/apache/bookkeeper/pull/2734] Upgrade Freebuilder version 
and fix the dependency
+
+  - Freebuilder 1.14.9 contains an outdate jquery js file which causes the 
library to be flagged as vulnerable with the highest threat level in Sonatype 
IQ vulnerability scanner. This also flags Bookkeeper as vulnerable with the 
highest threat level although it is a false positive and not an actual threat.
+
+  - Freebuilder shouldn't be exposed as a transitive dependency
+    - it's an annotation processor which should be defined
+      - [optional in maven](https://github.com/inferred/FreeBuilder#maven)
+      - [compileOnly in gradle](https://github.com/inferred/FreeBuilder#gradle)
+
+- [https://github.com/apache/bookkeeper/pull/2693] Upgrade vertx to 3.9.8, 
addresses CVE-2018-12541
+
+  The current vertx version is 3.5.3 which has a vulnerability, CVE-2018-12541 
.
 
 ## Details

Reply via email to