Re: [VOTE] Release Apache Daffodil 3.2.1 (Urgent Patch Release)

Mon, 20 Dec 2021 04:27:27 -0800

It looks like another CVE was found that affects Log4J 2.16.0. This seem less severe then he previous CVE's--it's only a DoS, and I think Daffodil CLI isn't effected. But I *think* API users of Daffodil could potentially be affected if they have custom Log4J configs with a special Pattern Layout.
Dependabot already has a PR open for Log4J 2.17.0 with a fix. Do we want to cancel this rc1 vote, merge the patch, and create an rc2? 


(Dependabot also opened a PR to udpate jackson-core, which has a bug fix 
for json parsing of quotes which might be worth merging as well?)


On 12/16/21 4:02 PM, Mike Beckerle wrote:

Hi all,

I'd like to call a vote to release Apache Daffodil 3.2.1 and to do so
with an abbreviated approval cycle (to be used only for urgent patch
releases).

Your vote covers the release as usual, but also due to the urgency of
this patch release, you are also voting on these 4 deltas from our more
usual release process:

* You agree the patch release is urgent and this abbreviated approval
   cycle is warranted and appropriate.

* The DISCUSS email thread will be superceded by this VOTE thread.

* Shortened 48 hours of work-day time for lazy consensus on the VOTE

* A minimum of three +1 and zero -1 binding votes are needed

For a summary of the changes in this release, see the release notes page:

https://daffodil.apache.org/releases/3.2.1/

All distribution packages, including signatures, digests, etc. can be found at:

https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc1/

Staging artifacts can be found at:

https://repository.apache.org/content/repositories/orgapachedaffodil-1026/

This release has been signed with PGP key 274B8F1413A680AF, corresponding
to mbecke...@apache.org, which is included in the KEYS file here:

https://downloads.apache.org/daffodil/KEYS

The release candidate has been tagged in git with v3.2.1-rc1.

For reference, here is a list of all closed JIRAs tagged with 3.2.1:

https://s.apache.org/daffodil-issues-3.2.1

Please review and vote.

Per the abbreviated process, the vote will be open for 48 hours.
(Until Monday 20 December 2021 17:00 EST.US).

[ ] +1 approve the release, and this abbreviated release process
[ ] +0 no opinion
[ ] -1 disapprove of the release, or of this abbreviated release
        process (and reason why)

























					Reply via email to