It failed due to the CVE, and the fix was not a clean cherry-pick to 3.5. Then Holidays hit, and I didn't do RC2. Picking it up now, and checking what needs to be backported and doing an RC2.
- Norbert On Tue, Jan 5, 2021 at 12:26 PM Enrico Olivelli <[email protected]> wrote: > What's the status of this VOTE ? > > Enrico > > Il giorno mar 8 dic 2020 alle ore 21:28 Damien Diederen < > [email protected]> ha scritto: > > > > > Hi Andor, > > > > > Is this not the same Jar that I’ve upgraded recently, because of a CVE? > > > > It is. You updated it for CVE-2020-27216, and this is now for > > CVE-2020-27218! > > > > Cheers, -D > > > > > > > > > > >> On 2020. Dec 5., at 22:03, Patrick Hunt <[email protected]> wrote: > > >> > > >> Thanks Damien! I reviewed and it looks good except for one small > > comment I > > >> hope we can also address (commented on PR). > > >> > > >> Regards, > > >> > > >> Patrick > > >> > > >> On Sat, Dec 5, 2020 at 12:05 PM Damien Diederen < > > [email protected]> > > >> wrote: > > >> > > >>> > > >>> Hi Patrick, all, > > >>> > > >>>> -1 - the dependency check is failing with a known CVE > > >>>> > > >>>> $ mvn clean package -DskipTests dependency-check:check > > >>>> ... > > >>>> [ERROR] One or more dependencies were identified with > vulnerabilities > > >>> that > > >>>> have a CVSS score greater than or equal to '0.0': > > >>>> [ERROR] > > >>>> [ERROR] jetty-server-9.4.34.v20201102.jar: CVE-2020-27218 > > >>>> [ERROR] jetty-http-9.4.34.v20201102.jar: CVE-2020-27218 > > >>> > > >>> For the (mailing list) record, I have created: > > >>> > > >>> https://issues.apache.org/jira/browse/ZOOKEEPER-4023 > > >>> https://github.com/apache/zookeeper/pull/1552 > > >>> > > >>> Best, -D > > >>> > > >
