Il mar 1 ott 2019, 10:38 Andor Molnar <[email protected]> ha scritto: > Backporting Netty 4 would be a huge, cumbersome task, I hope we don’t have > to do it. >
Yes, 3.4 is mature and stable and closed for refactors. > However I had a quick look at the details of this CVE and it seems to me > that it only affects the HTTP codec: > > https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95 > > Can’t we just say 3.4.14 is not affected? > We’re not running HTTP server inside ZooKeeper. > > Otherwise we might be able to release 3.6.0-alpha1 now, put a date for 3.4 > EOL and highlight on the webpage that this > Please do not start an 'alpha' story like for 3.5.... CVE probably won’t be resolved on that branch, please upgrade to 3.5. > +1 Enrico > > As a third option we could ask Norman to kindly fix 3.10.6.Final as well… > or submit a PR ourselves, it doesn’t seem to me a big deal. > Not so useful > > What do you think? > > Andor > > > > > > On 2019. Oct 1., at 2:00, Patrick Hunt <[email protected]> wrote: > > > > I pushed patches for 3.5 and trunk and the tests passed on my mac. > However > > 3.4 is using netty 3.10.6.Final and as such it's not a simple upgrade. > > (there are no fixes against 3.10 for this CVE, at least not so far) Not > > sure what we want to do about this... someone would need to backport the > > netty 4.1 changes into 3.4 afaict. > > > > Patrick > > > > On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <[email protected]> wrote: > > > >> I'll work on it today. > >> > >> Patrick > >> > >> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <[email protected]> > >> wrote: > >> > >>> Okay > >>> > >>> I am cancelling the release. > >>> > >>> I have a problem with my box, I can't work on netty upgrade. > >>> > >>> Any volounteer? > >>> > >>> Enrico > >>> > >>> Il lun 30 set 2019, 20:32 Andor Molnar <[email protected]> ha scritto: > >>> > >>>> The good news is: we need to release 3.4.15 too. :) > >>>> > >>>> Andor > >>>> > >>>> > >>>> > >>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <[email protected]> wrote: > >>>>> > >>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563 > >>>>> > >>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <[email protected]> > >>> wrote: > >>>>> > >>>>>> -1 - when I run dependency check on the release candidate artifact > >>> it's > >>>>>> failing with: > >>>>>> > >>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869 > >>>>>> > >>>>>> I ran this on trunk and it's passing, as such it must be an issue > >>> with > >>>> the > >>>>>> the 3.5.6 netty version specifically. It's listed as a high, we > >>> should > >>>>>> patch this as well before releasing. > >>>>>> > >>>>>> Patrick > >>>>>> > >>>>>> > >>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli < > [email protected] > >>>> > >>>>>> wrote: > >>>>>> > >>>>>>> This is a bugfix release candidate for 3.5.6. > >>>>>>> > >>>>>>> It fixes 28 issues, including upgrade of third party libraries, > >>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better > >>>>>>> procedure > >>>>>>> for the upgrade of servers from 3.4 to 3.5. > >>>>>>> > >>>>>>> The full release notes is available at: > >>>>>>> > >>>>>>> > >>>>>>> > >>>> > >>> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243 > >>>>>>> > >>>>>>> *** Please download, test and vote by October 2nd 2019, 23:59 > UTC+0. > >>>> *** > >>>>>>> > >>>>>>> Source files: > >>>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2 > >>>>>>> > >>>>>>> Maven staging repo: > >>>>>>> > >>>>>>> > >>>> > >>> > https://repository.apache.org/content/repositories/orgapachezookeeper-1042/ > >>>>>>> > >>>>>>> The release candidate tag in git to be voted upon: > release-3.5.6-rc2 > >>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2 > >>>>>>> > >>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the > >>> release: > >>>>>>> https://www.apache.org/dist/zookeeper/KEYS > >>>>>>> > >>>>>>> Should we release this candidate? > >>>>>>> Enrico Olivelli > >>>>>>> > >>>>>> > >>>> > >>>> > >>> > >> > >
