xiangfu0 commented on issue #18593:
URL: https://github.com/apache/pinot/issues/18593#issuecomment-4597126458

   We've cut **Apache Pinot 1.5.1** as a security patch on top of 1.5.0 to 
address the CVEs reported here. It's published as a pre-release while it goes 
through the Apache release vote:
   
   👉 https://github.com/apache/pinot/releases/tag/release-1.5.1
   
   **Fixed in 1.5.1** (dependency bumps from the 1.5.0 baseline):
   
   | Dependency | 1.5.0 → 1.5.1 | CVEs addressed |
   |---|---|---|
   | Netty | `4.1.122.Final` → `4.1.134.Final` | CVE-2025-55163, 
CVE-2025-59419, CVE-2026-33870, CVE-2026-33871, CVE-2026-42579, CVE-2026-42583, 
CVE-2026-42584, CVE-2026-42587 |
   | Log4j Core | `2.25.3` → `2.26.0` | CVE-2026-34478, CVE-2026-34479, 
CVE-2026-34480, CVE-2026-34481 |
   | async-http-client | `3.0.7` → `3.0.10` | CVE-2026-45300 |
   | Apache HttpClient 5 | `5.6` → `5.6.1` | CVE-2026-40542 |
   
   **Not fixed — Jetty CVE-2026-2332:** the Jetty 9.4.x branch is end-of-life 
with no patch available (advisory GHSA-355h-qmc2-wpwf; only Jetty 12.0.33 / 
12.1.7 are fixed). In Pinot, Jetty is a managed dependency for the optional 
Hadoop/Spark/Pulsar ingestion plugins only — Pinot's own HTTP layer uses 
Grizzly/Jersey — so the HTTP/1.1 request-smuggling vector does not apply to 
Pinot's broker/server/controller/minion services. A real fix requires a Jetty 9 
→ 12 migration, which is too invasive for a patch release; we'll track that 
separately for a future minor.
   
   As noted earlier, these bumps are already on `master` (1.6.0-SNAPSHOT); 
1.5.1 back-ports them to the 1.5.x line. Once the vote passes, 1.5.1 will be 
promoted to the final release and Maven Central.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to