Good catch Mate! Jetty has to be upgraded.
Andor > On 2021. Apr 7., at 13:43, Szalay-Bekő Máté <szalay.beko.m...@gmail.com> > wrote: > > -1 (non-binding) > > Hello Mohammad! > > Thanks for the great work! Sorry for torpedoing it :( > > I voted with -1, as the CVE check failed for me on the release candidate: > > mvn clean package -DskipTests dependency-check:check > (...) > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check > (default-cli) on project zookeeper: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] jetty-server-9.4.38.v20210224.jar: CVE-2021-28165 > [ERROR] jetty-http-9.4.38.v20210224.jar: CVE-2021-28165 > [ERROR] > [ERROR] See the dependency-check report for more details. > > > It seems we have a relatively recent (about three weeks old) CVE error in > Jetty: https://nvd.nist.gov/vuln/detail/CVE-2021-28165 > " In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and > 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large > invalid TLS frame." > > Looks like we will have to upgrade to jetty-server-9.4.39. > > Kind regards, > Mate > > On Tue, Apr 6, 2021 at 10:17 AM Mohammad arshad <mohammad.ars...@huawei.com> > wrote: > >> +1 (non-binding) >> >> -Verified signature and checksum of release artifacts. all ok >> -Run Junit test cases with jdk1.8.0_232 on Ubuntu 20.04, total 3137 test >> cases, 3 skipped, rest all passed >> -Done basic quality checks. run rat, checkstyle, spotbugs >> -Built tarball from source code, Verified it is same as the downloaded >> tarball >> -Installed 3 node cluster and verified basic functionalities from API, >> executed few cli commands. No issues observed >> -Connected HBase, HDFS and Yarn clusters (all using zk 3.5.6) to ZooKeeper >> 3.6.3 cluster, no issues observed. >> >> Though as a release manager my +1 vote is implicit, voting again to share >> few commands I used to verify the release. >> >> Here are some of the commands I executed while verifying the release. >> >> Download all the required artifacts >> -------------------------------------------------------- >> wget >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz >> wget >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz.asc >> wget >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz.sha512 >> >> wget >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz >> wget >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz.asc >> wget >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz.sha512 >> >> wget https://www.apache.org/dist/zookeeper/KEYS >> >> Verify Signature >> -------------------------------------------------------- >> gpg --import KEYS >> gpg --verify apache-zookeeper-3.6.3-bin.tar.gz.asc >> apache-zookeeper-3.6.3-bin.tar.gz >> gpg --verify apache-zookeeper-3.6.3.tar.gz.asc >> apache-zookeeper-3.6.3.tar.gz >> gpg --fingerprint 68E327C1 >> >> Verify Checksum >> -------------------------------------------------------- >> sha512sum --check apache-zookeeper-3.6.3-bin.tar.gz.sha512 >> sha512sum --check apache-zookeeper-3.6.3-bin.tar.gz.sha512 >> >> >> Verify license header by executing Apache RAT >> -------------------------------------------------------- >> tar -xvf apache-zookeeper-3.6.3.tar.gz >> cd apache-zookeeper-3.6.3 >> mvn clean apache-rat:check -DskipTests >> >> Perform quality checks, run checkstyle, spotbugs and unit tests >> -------------------------------------------------------- >> mvn clean install checkstyle:check spotbugs:check -DskipTests >> mvn clean test -Dsurefire.rerunFailingTestsCount=2 >> -DtestFailureIgnore=true -Dmaven.test.failure.ignore=true >> -Dmaven.test.error.ignore=true >> NOTE: use -Pfull-build to include ci tests as well >> >> Build and Cluster Install >> -------------------------------------------------------- >> Built the tarball from source code and compare that it is same as the >> downloaded tarball. Apart from timestamp changes, no other changes are >> observed >> mvn clean install -DskipTests >> Installed the downloaded bin tarball and do some feature sanity tests >> >> Thanks & Regards >> Arshad >> >> -----Original Message----- >> From: Mohammad Arshad [mailto:ars...@apache.org] >> Sent: Sunday, April 4, 2021 4:48 PM >> To: dev@zookeeper.apache.org >> Subject: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 >> >> This is a bug fix release candidate for 3.6.3. It contains 50 fixes. >> >> The full release notes is available at: >> >> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12348703 >> >> *** Please download, test and vote by Wednesday, April 7th 2021, 23:59 >> UTC+0. *** >> >> Source and binary files: >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/ >> >> Maven staging repo: >> https://repository.apache.org/content/repositories/orgapachezookeeper-1070 >> >> The release candidate tag in git to be voted upon: release-3.6.3-1 >> https://github.com/apache/zookeeper/tree/release-3.6.3-1 >> >> ZooKeeper's KEYS file containing PGP keys we use to sign the release: >> https://www.apache.org/dist/zookeeper/KEYS >> >> The staging version of the website is: >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/website/ >> >> *Should we release this candidate?* >> >> Thanks & Regards >> Arshad >>
