I am cancelling the vote now. There is already a pending PR for the upgrade
I have approved it, it needs a second +1 Please take a look and merge Enrico Il gio 26 set 2019, 20:16 Andor Molnar <an...@apache.org> ha scritto: > Sorry I was busy with company work and didn’t have much time for > ZooKeeper. I was not sure about whether I have to -1 because of those new > CVEs, but if we can upgrade relatively quickly (bumping version numbers), > then I think we should do it even if the problem doesn’t affect us > directly. (owasp build will be red anyways) > > Enrico, how much effort would be to upgrade Jackson libs again? > > Sorry about that. > > Andor > > > > > > On 2019. Sep 26., at 17:38, Patrick Hunt <ph...@apache.org> wrote: > > > > On Thu, Sep 26, 2019 at 3:50 AM Enrico Olivelli <eolive...@gmail.com> > wrote: > > > >> Hi folks, > >> all the community is invited to test this release candidate > >> > >> and we need at least three binding VOTEs > >> > >> > > After seeing Andor's feedback I was waiting for the new RC to be cut. > (also > > FYI Strata this week) Given we release relatively infrequently it seemed > a > > better idea to spend an additional few days knocking this one down so > it's > > not an open question going forward. If folks disagree please state as > such > > as I'd rather not spend the time reviewing again just to have to review > > another RC. > > > > Patrick > > > > > > > >> Best regards > >> Enrico > >> > >> Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli < > >> eolive...@gmail.com> ha scritto: > >> > >>> Links to the details: > >>> https://github.com/FasterXML/jackson-databind/issues/2449 > >>> https://github.com/FasterXML/jackson-databind/issues/2449 > >>> > >>> @Andor Molnár <an...@apache.org> is it a -1 from your side ? > >>> > >>> The rush for 3.5.6 is more about delivering a version of ZK without the > >>> security issues reported for Jackson Databind, so it may make sense to > >>> cancel this vote (but I am not doing it actually) > >>> Btw we can't follow the fast pace of DataBind and CVEs > >>> > >>> This is interesting > >>> > >>> > >> > https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 > >>> > >>> > >>> As we are not affected but the issues above I suggest to move forward > >> with > >>> the current tag > >>> > >>> > >>> > >>> Enrico > >>> > >>> Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar > >>> <nkal...@cloudera.com.invalid> ha scritto: > >>> > >>>> These CVE's do no affect ZooKeeper, both is related to Hikari which is > >> not > >>>> used at all by ZooKeeper. (It's a JDBC connection pooling library) > >>>> > >>>> > >> > https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html > >>>> > >>>> > >>>> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <an...@apache.org> > wrote: > >>>> > >>>>> Hi Enrico! > >>>>> > >>>>> Looks like owasp is reporting 2 new issues with > >>>> jackson-databind-2.9.9.3: > >>>>> > >>>>> > >>>>> > >>>> > >> > https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html > >>>>> > >>>>> If I’m not mistaken. > >>>>> > >>>>> Andor > >>>>> > >>>>> > >>>>> > >>>>>> On 2019. Sep 20., at 22:18, Enrico Olivelli <eolive...@gmail.com> > >>>> wrote: > >>>>>> > >>>>>> This is a bugfix release candidate for 3.5.6. > >>>>>> > >>>>>> It fixes 27 issues, including upgrade of third party libraries, > >>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better > >>>>> procedure > >>>>>> for the upgrade of servers from 3.4 to 3.5. > >>>>>> > >>>>>> The full release notes is available at: > >>>>>> > >>>>>> > >>>>> > >>>> > >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243 > >>>>>> > >>>>>> *** Please download, test and vote by September 23th 2019, 23:59 > >>>> UTC+0. > >>>>> *** > >>>>>> > >>>>>> Source files: > >>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1 > >>>>>> > >>>>>> Maven staging repo: > >>>>>> > >>>>> > >>>> > >> > https://repository.apache.org/content/repositories/orgapachezookeeper-1041/ > >>>>>> > >>>>>> The release candidate tag in git to be voted upon: release-3.5.6-rc1 > >>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc1 > >>>>>> > >>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the > >> release: > >>>>>> https://www.apache.org/dist/zookeeper/KEYS > >>>>>> > >>>>>> Should we release this candidate? > >>>>>> > >>>>>> Enrico Olivelli > >>>>> > >>>>> > >>>> > >>> > >> > >
