On 11/28/2023 4:07 PM, Michael Jumper wrote:
Hello all,
The first release candidate for Apache Guacamole 1.5.4 has been uploaded
and is ready for VOTE. The draft release notes (along with links to
artifacts, signatures/checksums, and updated documentation) can be found
here:
http://guacamole.apache.org/releases/1.5.4/
The git tag for all relevant repositories is "1.5.4-RC1":
https://github.com/apache/guacamole-client/tree/1.5.4-RC1
https://github.com/apache/guacamole-server/tree/1.5.4-RC1
https://github.com/apache/guacamole-manual/tree/1.5.4-RC1
Build instructions are included in the manual, which is part of the
updated documentation referenced above. For convenience:
http://guacamole.apache.org/doc/1.5.4/gug/installing-guacamole.html
Maven artifacts for guacamole-common, guacamole-common-js, and
guacamole-ext can be found in the following staging repository:
https://repository.apache.org/content/repositories/orgapacheguacamole-1021
Source and binary distributions (also linked within the release notes):
https://dist.apache.org/repos/dist/dev/guacamole/1.5.4-RC1/
Artifacts have been signed with the "[email protected]" key listed in:
https://dist.apache.org/repos/dist/dev/guacamole/KEYS
Please review and vote:
[ ] +1 Approve the release
[ ] -1 Don't approve the release (please provide specific comments)
This vote will be open for at least 72 hours.
Cancelling this in favor of an RC2 as Logback has since issued a 1.3.12
update correcting a bug with an associated CVE [1]. They've since issued
further updates, with the latest compatible version being 1.3.14 as of
today [2].
It doesn't look like the CVE would affect users of Guacamole at all, as
it depends on Logback having been manually reconfigured use a
"receiver", but it's certainly worth an RC2.
- Mike
[1] https://nvd.nist.gov/vuln/detail/CVE-2023-6378
[2] https://logback.qos.ch/news.html#1.3.14
