Hi Avro folks, A project I'm working on uses Avro and noticed this thread with the intent to resolve the known CVE issues with jackson-* deps. From what I can determine, an Avro release would need to wait for Jackson 2.15 <https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.15>. Is that also your assessment?
I'm keen to see a 1.11.2 "CVE clean" release also, so big +1 from a random user. Kind regards, Eric On Mon, Mar 13, 2023 at 10:55 AM Ryan Skraba <r...@skraba.com> wrote: > :D Doing another minor release is also related to the thread of > whether or not there could be an LTS version, or supporting more than > one version of Avro! > > Throughout the last year, we've been pretty good about cherry-picking > bugfixes into the 1.11 branch when they are relevant and useful, so > doing the 1.11.2 release should pretty much be a non-event! The > exception seems to be some JIRA and PRs that were "grandfathered" into > the next minor release because of lack of attention (which is another > issue entirely that we really should be addressing...) > > I'd like to do the 1.11.2 in order to address the automated security > warnings for security scanning tools (see > https://mvnrepository.com/artifact/org.apache.avro/avro/1.11.1). I > don't believe either of the CVE are exploitable via Avro, but it's > always a good practice to not drag them into the dependency graph if > we can! > > Please do not stop contributing to 1.12.0, of course! That should be > the destination for the great new features that belong to a major > release! > > All my best, Ryan > > On Sat, Mar 11, 2023 at 8:52 AM Oscar Westra van Holthe - Kind > <os...@westravanholthe.nl> wrote: > > > > On th 9 mrt. 2023 22:14, Ryan Skraba <r...@skraba.com> wrote: > > > > > Hey all, I'd like to bring this discussion back to life -- are we in a > > > state to do a 1.11.2 release? > > > > > > > [...] If I remember correctly, there > > > wasn't much left in JIRA unresolved for 1.11.2! [1] > > > > > > [...] > > > [1] > > > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved > > > > > > Maybe a few things, but I prefer to wrap this up and start on 1.12.0 with > > Java >8 (see that discussion), a schema syntax for IDL, and maybe even > IDL > > support for Python/Rust/... > > > > > > Kind regards, > > Oscar > > > > -- > > Oscar Westra van Holthe - Kind <os...@westravanholthe.nl> >
