dependency check is green now with https://github.com/apache/zookeeper/pull/1675 We do backport security fixes to 3.5 branch, correct? I will create a separate PR for that due to ant support.
- Norbert On Wed, Apr 7, 2021 at 2:19 PM Norbert Kalmar <nkal...@cloudera.com> wrote: > Please don't forget to update the license files also in zookeeper-server > resources folder! > But better yet I can create the jira and have a PR up soon. > > - Norbert > > On Wed, Apr 7, 2021 at 1:50 PM Andor Molnar <an...@apache.org> wrote: > >> Good catch Mate! >> >> Jetty has to be upgraded. >> >> Andor >> >> >> >> >> > On 2021. Apr 7., at 13:43, Szalay-Bekő Máté <szalay.beko.m...@gmail.com> >> wrote: >> > >> > -1 (non-binding) >> > >> > Hello Mohammad! >> > >> > Thanks for the great work! Sorry for torpedoing it :( >> > >> > I voted with -1, as the CVE check failed for me on the release >> candidate: >> > >> > mvn clean package -DskipTests dependency-check:check >> > (...) >> > [ERROR] Failed to execute goal >> org.owasp:dependency-check-maven:5.3.0:check >> > (default-cli) on project zookeeper: >> > [ERROR] >> > [ERROR] One or more dependencies were identified with vulnerabilities >> that >> > have a CVSS score greater than or equal to '0.0': >> > [ERROR] >> > [ERROR] jetty-server-9.4.38.v20210224.jar: CVE-2021-28165 >> > [ERROR] jetty-http-9.4.38.v20210224.jar: CVE-2021-28165 >> > [ERROR] >> > [ERROR] See the dependency-check report for more details. >> > >> > >> > It seems we have a relatively recent (about three weeks old) CVE error >> in >> > Jetty: https://nvd.nist.gov/vuln/detail/CVE-2021-28165 >> > " In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and >> > 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large >> > invalid TLS frame." >> > >> > Looks like we will have to upgrade to jetty-server-9.4.39. >> > >> > Kind regards, >> > Mate >> > >> > On Tue, Apr 6, 2021 at 10:17 AM Mohammad arshad < >> mohammad.ars...@huawei.com> >> > wrote: >> > >> >> +1 (non-binding) >> >> >> >> -Verified signature and checksum of release artifacts. all ok >> >> -Run Junit test cases with jdk1.8.0_232 on Ubuntu 20.04, total 3137 >> test >> >> cases, 3 skipped, rest all passed >> >> -Done basic quality checks. run rat, checkstyle, spotbugs >> >> -Built tarball from source code, Verified it is same as the downloaded >> >> tarball >> >> -Installed 3 node cluster and verified basic functionalities from API, >> >> executed few cli commands. No issues observed >> >> -Connected HBase, HDFS and Yarn clusters (all using zk 3.5.6) to >> ZooKeeper >> >> 3.6.3 cluster, no issues observed. >> >> >> >> Though as a release manager my +1 vote is implicit, voting again to >> share >> >> few commands I used to verify the release. >> >> >> >> Here are some of the commands I executed while verifying the release. >> >> >> >> Download all the required artifacts >> >> -------------------------------------------------------- >> >> wget >> >> >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz >> >> wget >> >> >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz.asc >> >> wget >> >> >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz.sha512 >> >> >> >> wget >> >> >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz >> >> wget >> >> >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz.asc >> >> wget >> >> >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz.sha512 >> >> >> >> wget https://www.apache.org/dist/zookeeper/KEYS >> >> >> >> Verify Signature >> >> -------------------------------------------------------- >> >> gpg --import KEYS >> >> gpg --verify apache-zookeeper-3.6.3-bin.tar.gz.asc >> >> apache-zookeeper-3.6.3-bin.tar.gz >> >> gpg --verify apache-zookeeper-3.6.3.tar.gz.asc >> >> apache-zookeeper-3.6.3.tar.gz >> >> gpg --fingerprint 68E327C1 >> >> >> >> Verify Checksum >> >> -------------------------------------------------------- >> >> sha512sum --check apache-zookeeper-3.6.3-bin.tar.gz.sha512 >> >> sha512sum --check apache-zookeeper-3.6.3-bin.tar.gz.sha512 >> >> >> >> >> >> Verify license header by executing Apache RAT >> >> -------------------------------------------------------- >> >> tar -xvf apache-zookeeper-3.6.3.tar.gz >> >> cd apache-zookeeper-3.6.3 >> >> mvn clean apache-rat:check -DskipTests >> >> >> >> Perform quality checks, run checkstyle, spotbugs and unit tests >> >> -------------------------------------------------------- >> >> mvn clean install checkstyle:check spotbugs:check -DskipTests >> >> mvn clean test -Dsurefire.rerunFailingTestsCount=2 >> >> -DtestFailureIgnore=true -Dmaven.test.failure.ignore=true >> >> -Dmaven.test.error.ignore=true >> >> NOTE: use -Pfull-build to include ci tests as well >> >> >> >> Build and Cluster Install >> >> -------------------------------------------------------- >> >> Built the tarball from source code and compare that it is same as the >> >> downloaded tarball. Apart from timestamp changes, no other changes are >> >> observed >> >> mvn clean install -DskipTests >> >> Installed the downloaded bin tarball and do some feature sanity tests >> >> >> >> Thanks & Regards >> >> Arshad >> >> >> >> -----Original Message----- >> >> From: Mohammad Arshad [mailto:ars...@apache.org] >> >> Sent: Sunday, April 4, 2021 4:48 PM >> >> To: dev@zookeeper.apache.org >> >> Subject: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 >> >> >> >> This is a bug fix release candidate for 3.6.3. It contains 50 fixes. >> >> >> >> The full release notes is available at: >> >> >> >> >> >> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12348703 >> >> >> >> *** Please download, test and vote by Wednesday, April 7th 2021, 23:59 >> >> UTC+0. *** >> >> >> >> Source and binary files: >> >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/ >> >> >> >> Maven staging repo: >> >> >> https://repository.apache.org/content/repositories/orgapachezookeeper-1070 >> >> >> >> The release candidate tag in git to be voted upon: release-3.6.3-1 >> >> https://github.com/apache/zookeeper/tree/release-3.6.3-1 >> >> >> >> ZooKeeper's KEYS file containing PGP keys we use to sign the release: >> >> https://www.apache.org/dist/zookeeper/KEYS >> >> >> >> The staging version of the website is: >> >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/website/ >> >> >> >> *Should we release this candidate?* >> >> >> >> Thanks & Regards >> >> Arshad >> >> >> >>
