I just downloaded the OWASP dependency check command line tool [1] (note
that there is an sbt plugin, but I couldn't get it to work).
I first ran it against the 3.2.0 release and it found only the expected,
and now fixed, JDOM and Log4J CVEs.
I then ran it against 3.2.1-rc1 and it found nothing. This was a bit
surprising since I expected the latest Log4J CVE, but maybe this CVE is
just too new. It did happen over the weekend, so maybe it isn't in the
database where the tool downloads from yet?
So I think there are no known CVE's aside from the newest Log4J one.
As to if we are done with Log4j CVEs, I don't know. It wouldn't surprise
me if more CVE's come out with the extra scrutiny it's getting, but we
don't know of any more at the moment.
If we did do an rc2, all the binaries should be exactly the same except
for the Log4J jar, so the verification process should be pretty easy.
Another compressed vote seems reasonable, especially since we already
have 3 +1's for this release, maybe even extra compressed considering
the very small change and no binary differences in Daffodil.
[1] https://owasp.org/www-project-dependency-check/
On 12/20/21 9:38 AM, Mike Beckerle wrote:
I could go either way on this.
My questions, which are perhaps not ones we can easily get answers to...
* Do we actually know there are no CVEs against other things we depend on?
* Has this Log4J flurry now concluded, or is that software now "under
scrutiny" such that there are now going to be a bunch more CVEs and
fixes?
On Mon, Dec 20, 2021 at 7:27 AM Steve Lawrence <slawre...@apache.org> wrote:
It looks like another CVE was found that affects Log4J 2.16.0. This seem
less severe then he previous CVE's--it's only a DoS, and I think
Daffodil CLI isn't effected. But I *think* API users of Daffodil could
potentially be affected if they have custom Log4J configs with a special
Pattern Layout.
Dependabot already has a PR open for Log4J 2.17.0 with a fix. Do we want
to cancel this rc1 vote, merge the patch, and create an rc2?
(Dependabot also opened a PR to udpate jackson-core, which has a bug fix
for json parsing of quotes which might be worth merging as well?)
On 12/16/21 4:02 PM, Mike Beckerle wrote:
Hi all,
I'd like to call a vote to release Apache Daffodil 3.2.1 and to do so
with an abbreviated approval cycle (to be used only for urgent patch
releases).
Your vote covers the release as usual, but also due to the urgency of
this patch release, you are also voting on these 4 deltas from our more
usual release process:
* You agree the patch release is urgent and this abbreviated approval
cycle is warranted and appropriate.
* The DISCUSS email thread will be superceded by this VOTE thread.
* Shortened 48 hours of work-day time for lazy consensus on the VOTE
* A minimum of three +1 and zero -1 binding votes are needed
For a summary of the changes in this release, see the release notes page:
https://daffodil.apache.org/releases/3.2.1/
All distribution packages, including signatures, digests, etc. can be found at:
https://dist.apache.org/repos/dist/dev/daffodil/3.2.1-rc1/
Staging artifacts can be found at:
https://repository.apache.org/content/repositories/orgapachedaffodil-1026/
This release has been signed with PGP key 274B8F1413A680AF, corresponding
to mbecke...@apache.org, which is included in the KEYS file here:
https://downloads.apache.org/daffodil/KEYS
The release candidate has been tagged in git with v3.2.1-rc1.
For reference, here is a list of all closed JIRAs tagged with 3.2.1:
https://s.apache.org/daffodil-issues-3.2.1
Please review and vote.
Per the abbreviated process, the vote will be open for 48 hours.
(Until Monday 20 December 2021 17:00 EST.US).
[ ] +1 approve the release, and this abbreviated release process
[ ] +0 no opinion
[ ] -1 disapprove of the release, or of this abbreviated release
process (and reason why)
