Patrick We are not affected by that issue https://nvd.nist.gov/vuln/detail/CVE-2019-20445 It is about HTTP.
As Netty is a core dependency and in my experience sometimes it introduces regressions I feel it is safer to not upgrade for 3.6.0. We can upgrade it on master branch. Enrico Il Lun 3 Feb 2020, 20:06 Patrick Hunt <ph...@apache.org> ha scritto: > FYI owasp jenkins job is failing due to netty CVE: > https://issues.apache.org/jira/browse/ZOOKEEPER-3716 > > Patrick > > On Mon, Feb 3, 2020 at 8:12 AM Enrico Olivelli <eolive...@gmail.com> > wrote: > > > Il Lun 3 Feb 2020, 16:23 Norbert Kalmar <nkal...@cloudera.com.invalid> > ha > > scritto: > > > > > Máté's patch fixed it for me. I don't know if this is a blocker for > 3.6.0 > > > rc1 > > > > > > I don't think it is a blocker. > > It is not a regression > > > > Enrico > > > > , but since 3.5.7 is not even branched yet, I'll wait for this patch to > > > make it there. > > > > > > Thanks Máté, good catch! > > > > > > Regards, > > > Norbert > > > > > > On Mon, Feb 3, 2020 at 2:02 PM Szalay-Bekő Máté < > > > szalay.beko.m...@gmail.com> > > > wrote: > > > > > > > I created https://issues.apache.org/jira/browse/ZOOKEEPER-3715 and > > > started > > > > to work on it > > > > > > > > On Mon, Feb 3, 2020 at 1:12 PM Szalay-Bekő Máté < > > > > szalay.beko.m...@gmail.com> > > > > wrote: > > > > > > > > > (FYI: I tried a few more versions, the problem seems to appear > > between > > > > > OpenJDK 8.232 and 8.242. And there are a lot of kerberos related > > > changes > > > > > after 8.232: see https://hg.openjdk.java.net/jdk8u/jdk8u/jdk ) > > > > > > > > > > On Mon, Feb 3, 2020 at 12:54 PM Norbert Kalmar > > > > > <nkal...@cloudera.com.invalid> wrote: > > > > > > > > > >> I tested with zulu 1.8.212 on the linux machine, and with zulu > > > 1.8.0_163 > > > > >> on > > > > >> MacOS (whoops). I use sdkman on both machine. I upgraded to the > > newest > > > > 1.8 > > > > >> which is _242, at least with sdkman. > > > > >> And sadly, the mentioned tests also fail for me after the upgrade. > > > > >> > > > > >> So, something in the tests that the new versions of java doesn't > > like > > > :( > > > > >> > > > > >> I'm not sure either if it's a showstopper or not. But possibly > this > > > > could > > > > >> come out when using kerberized ZK? Unfortunately kind of hard to > > test > > > > >> "live". > > > > >> > > > > >> Regards, > > > > >> Norbert > > > > >> > > > > >> On Mon, Feb 3, 2020 at 12:38 PM Szalay-Bekő Máté < > > > > >> szalay.beko.m...@gmail.com> > > > > >> wrote: > > > > >> > > > > >> > - I compiled and run all the unit tests using Ubuntu 18.04 > (incl. > > > the > > > > C > > > > >> > client), using OpenJDK 1.8.212 > > > > >> > - I also built and unit tested the python client > > > > >> > - I did some manual tests for the multi-address feature with > > > multiple > > > > >> > virtual networks (using > > > > https://github.com/symat/zookeeper-docker-test) > > > > >> > > > > > >> > everything seemed to be OK, however... > > > > >> > > > > > >> > using OpenJDK 1.8.242 or OpenJDK 11.0.6, I got some kerberos > > related > > > > >> > exceptions when running the following tests: > > > > >> > - QuorumKerberosAuthTest > > > > >> > - QuorumKerberosHostBasedAuthTest > > > > >> > - SaslKerberosAuthOverSSLTest > > > > >> > > > > > >> > the error: > > > > >> > 2020-02-03 12:11:07,197 [myid:localhost:11223] - ERROR > > > > >> > [main-SendThread(localhost:11223):ZooKeeperSaslClient@336] - An > > > > error: > > > > >> > (java.security.PrivilegedActionException: > > > > >> > javax.security.sasl.SaslException: GSS initiate failed [Caused > by > > > > >> > GSSException: No valid credentials provided (Mechanism level: > null > > > > >> > (5001))]) occurred when evaluating Zookeeper Quorum Member's > > > received > > > > >> SASL > > > > >> > token. Zookeeper Client will go to AUTH_FAILED state. > > > > >> > > > > > >> > I tried it with Zulu 11.0.3 version and OpenJDK 11.0.2 version > and > > > > both > > > > >> > were working fine. So it looks there might some incompatibility > > with > > > > the > > > > >> > more recent JDK releases. (between 1.8.212 - 1.8.242, and also > > > between > > > > >> > 11.0.3 and 11.0.6) > > > > >> > > > > > >> > I also tested on OpenJDK 13.ea.30 and that worked. > > > > >> > > > > > >> > I am not sure if it is a -1 or not... clearly these are some > test > > > and > > > > >> JDK > > > > >> > related issues. Also it can be only some strange thing with my > > > > >> environment. > > > > >> > Can someone try to reproduce my problem? > > > > >> > > > > > >> > > > > > >> > Cheers, > > > > >> > Mate > > > > >> > > > > > >> > On Mon, Feb 3, 2020 at 4:31 AM Jordan Zimmerman < > > > > >> > jor...@jordanzimmerman.com> > > > > >> > wrote: > > > > >> > > > > > >> > > No big issues with Curator that I could find > > > > >> > > > > > > >> > > +1 (non binding) > > > > >> > > > > > > >> > > -Jordan > > > > >> > > > > > > >> > > > On Feb 1, 2020, at 10:02 AM, Enrico Olivelli < > > > eolive...@gmail.com > > > > > > > > > >> > > wrote: > > > > >> > > > > > > > >> > > > This is the second release candidate for Apache ZooKeeper > > 3.6.0. > > > > >> > > > > > > > >> > > > It is a major release and it introduces a lot of new > features, > > > > most > > > > >> > > notably: > > > > >> > > > - Built-in data consistency check inside ZooKeeper > > > > >> > > > - Allow Followers to host Observers > > > > >> > > > - Authentication enforcement > > > > >> > > > - Pluggable metrics system for ZooKeeper (and Prometheus.io > > > > >> > integration) > > > > >> > > > - TLS Port unification > > > > >> > > > - Audit logging in ZooKeeper servers > > > > >> > > > - Improve resilience to network (advertise multiple > addresses > > > for > > > > >> > > > members of a Zookeeper cluster) > > > > >> > > > - Persistent Recursive Watches > > > > >> > > > - add an API and the corresponding CLI to get total count of > > > > >> recursive > > > > >> > > > sub nodes under a specific path > > > > >> > > > > > > > >> > > > The full release notes is available at: > > > > >> > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12326518 > > > > >> > > > > > > > >> > > > *** Please download, test and vote by February 4th 2020, > 23:59 > > > > >> UTC+0. > > > > >> > *** > > > > >> > > > > > > > >> > > > Source files: > > > > >> > > > > > > https://people.apache.org/~eolivelli/zookeeper-3.6.0-candidate-1/ > > > > >> > > > > > > > >> > > > Maven staging repo: > > > > >> > > > > > > >> > > > > > >> > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1047/ > > > > >> > > > > > > > >> > > > The staging version of the website is: > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > > > > > > > https://people.apache.org/~eolivelli/zookeeper-3.6.0-candidate-1/website/ > > > > >> > > > > > > > >> > > > The release candidate tag in git to be voted upon: > > > release-3.6.0-1 > > > > >> > > > https://github.com/apache/zookeeper/tree/release-3.6.0-1 > > > > >> > > > > > > > >> > > > ZooKeeper's KEYS file containing PGP keys we use to sign the > > > > >> release: > > > > >> > > > https://www.apache.org/dist/zookeeper/KEYS > > > > >> > > > > > > > >> > > > Please note that we are adding a new jar to the dependency > set > > > for > > > > >> > > > clients: zookeeper-metrics-providers. > > > > >> > > > > > > > >> > > > Should we release this candidate? > > > > >> > > > > > > > >> > > > Enrico Olivelli > > > > >> > > > > > > >> > > > > > > >> > > > > > >> > > > > > > > > > > > > > > >