I pushed patches for 3.5 and trunk and the tests passed on my mac. However 3.4 is using netty 3.10.6.Final and as such it's not a simple upgrade. (there are no fixes against 3.10 for this CVE, at least not so far) Not sure what we want to do about this... someone would need to backport the netty 4.1 changes into 3.4 afaict.
Patrick On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <[email protected]> wrote: > I'll work on it today. > > Patrick > > On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <[email protected]> > wrote: > >> Okay >> >> I am cancelling the release. >> >> I have a problem with my box, I can't work on netty upgrade. >> >> Any volounteer? >> >> Enrico >> >> Il lun 30 set 2019, 20:32 Andor Molnar <[email protected]> ha scritto: >> >> > The good news is: we need to release 3.4.15 too. :) >> > >> > Andor >> > >> > >> > >> > > On 2019. Sep 30., at 20:26, Patrick Hunt <[email protected]> wrote: >> > > >> > > created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563 >> > > >> > > On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <[email protected]> >> wrote: >> > > >> > >> -1 - when I run dependency check on the release candidate artifact >> it's >> > >> failing with: >> > >> >> > >> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869 >> > >> >> > >> I ran this on trunk and it's passing, as such it must be an issue >> with >> > the >> > >> the 3.5.6 netty version specifically. It's listed as a high, we >> should >> > >> patch this as well before releasing. >> > >> >> > >> Patrick >> > >> >> > >> >> > >> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <[email protected] >> > >> > >> wrote: >> > >> >> > >>> This is a bugfix release candidate for 3.5.6. >> > >>> >> > >>> It fixes 28 issues, including upgrade of third party libraries, >> > >>> TTL Node APIs for C API, support for PCKS12 Keystores, and better >> > >>> procedure >> > >>> for the upgrade of servers from 3.4 to 3.5. >> > >>> >> > >>> The full release notes is available at: >> > >>> >> > >>> >> > >>> >> > >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243 >> > >>> >> > >>> *** Please download, test and vote by October 2nd 2019, 23:59 UTC+0. >> > *** >> > >>> >> > >>> Source files: >> > >>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2 >> > >>> >> > >>> Maven staging repo: >> > >>> >> > >>> >> > >> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/ >> > >>> >> > >>> The release candidate tag in git to be voted upon: release-3.5.6-rc2 >> > >>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2 >> > >>> >> > >>> ZooKeeper's KEYS file containing PGP keys we use to sign the >> release: >> > >>> https://www.apache.org/dist/zookeeper/KEYS >> > >>> >> > >>> Should we release this candidate? >> > >>> Enrico Olivelli >> > >>> >> > >> >> > >> > >> >
