Thanks Mate and Norbert for your feedback on RC1. When I created RC1, OWSP CI was successful ( https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/branch-3.6.3/5/). But yes, now that ci is falling.
I am cancelling this RC0 due to jetty cve CVE-2021-28165. Will prepare RC2 soon. Thanks & Regards Arshad On Wed, Apr 7, 2021 at 6:12 PM Norbert Kalmar <nkal...@cloudera.com.invalid> wrote: > dependency check is green now with > https://github.com/apache/zookeeper/pull/1675 > We do backport security fixes to 3.5 branch, correct? I will create a > separate PR for that due to ant support. > > - Norbert > > On Wed, Apr 7, 2021 at 2:19 PM Norbert Kalmar <nkal...@cloudera.com> > wrote: > > > Please don't forget to update the license files also in zookeeper-server > > resources folder! > > But better yet I can create the jira and have a PR up soon. > > > > - Norbert > > > > On Wed, Apr 7, 2021 at 1:50 PM Andor Molnar <an...@apache.org> wrote: > > > >> Good catch Mate! > >> > >> Jetty has to be upgraded. > >> > >> Andor > >> > >> > >> > >> > >> > On 2021. Apr 7., at 13:43, Szalay-Bekő Máté < > szalay.beko.m...@gmail.com> > >> wrote: > >> > > >> > -1 (non-binding) > >> > > >> > Hello Mohammad! > >> > > >> > Thanks for the great work! Sorry for torpedoing it :( > >> > > >> > I voted with -1, as the CVE check failed for me on the release > >> candidate: > >> > > >> > mvn clean package -DskipTests dependency-check:check > >> > (...) > >> > [ERROR] Failed to execute goal > >> org.owasp:dependency-check-maven:5.3.0:check > >> > (default-cli) on project zookeeper: > >> > [ERROR] > >> > [ERROR] One or more dependencies were identified with vulnerabilities > >> that > >> > have a CVSS score greater than or equal to '0.0': > >> > [ERROR] > >> > [ERROR] jetty-server-9.4.38.v20210224.jar: CVE-2021-28165 > >> > [ERROR] jetty-http-9.4.38.v20210224.jar: CVE-2021-28165 > >> > [ERROR] > >> > [ERROR] See the dependency-check report for more details. > >> > > >> > > >> > It seems we have a relatively recent (about three weeks old) CVE error > >> in > >> > Jetty: https://nvd.nist.gov/vuln/detail/CVE-2021-28165 > >> > " In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and > >> > 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a > large > >> > invalid TLS frame." > >> > > >> > Looks like we will have to upgrade to jetty-server-9.4.39. > >> > > >> > Kind regards, > >> > Mate > >> > > >> > On Tue, Apr 6, 2021 at 10:17 AM Mohammad arshad < > >> mohammad.ars...@huawei.com> > >> > wrote: > >> > > >> >> +1 (non-binding) > >> >> > >> >> -Verified signature and checksum of release artifacts. all ok > >> >> -Run Junit test cases with jdk1.8.0_232 on Ubuntu 20.04, total 3137 > >> test > >> >> cases, 3 skipped, rest all passed > >> >> -Done basic quality checks. run rat, checkstyle, spotbugs > >> >> -Built tarball from source code, Verified it is same as the > downloaded > >> >> tarball > >> >> -Installed 3 node cluster and verified basic functionalities from > API, > >> >> executed few cli commands. No issues observed > >> >> -Connected HBase, HDFS and Yarn clusters (all using zk 3.5.6) to > >> ZooKeeper > >> >> 3.6.3 cluster, no issues observed. > >> >> > >> >> Though as a release manager my +1 vote is implicit, voting again to > >> share > >> >> few commands I used to verify the release. > >> >> > >> >> Here are some of the commands I executed while verifying the release. > >> >> > >> >> Download all the required artifacts > >> >> -------------------------------------------------------- > >> >> wget > >> >> > >> > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz > >> >> wget > >> >> > >> > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz.asc > >> >> wget > >> >> > >> > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3-bin.tar.gz.sha512 > >> >> > >> >> wget > >> >> > >> > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz > >> >> wget > >> >> > >> > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz.asc > >> >> wget > >> >> > >> > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/apache-zookeeper-3.6.3.tar.gz.sha512 > >> >> > >> >> wget https://www.apache.org/dist/zookeeper/KEYS > >> >> > >> >> Verify Signature > >> >> -------------------------------------------------------- > >> >> gpg --import KEYS > >> >> gpg --verify apache-zookeeper-3.6.3-bin.tar.gz.asc > >> >> apache-zookeeper-3.6.3-bin.tar.gz > >> >> gpg --verify apache-zookeeper-3.6.3.tar.gz.asc > >> >> apache-zookeeper-3.6.3.tar.gz > >> >> gpg --fingerprint 68E327C1 > >> >> > >> >> Verify Checksum > >> >> -------------------------------------------------------- > >> >> sha512sum --check apache-zookeeper-3.6.3-bin.tar.gz.sha512 > >> >> sha512sum --check apache-zookeeper-3.6.3-bin.tar.gz.sha512 > >> >> > >> >> > >> >> Verify license header by executing Apache RAT > >> >> -------------------------------------------------------- > >> >> tar -xvf apache-zookeeper-3.6.3.tar.gz > >> >> cd apache-zookeeper-3.6.3 > >> >> mvn clean apache-rat:check -DskipTests > >> >> > >> >> Perform quality checks, run checkstyle, spotbugs and unit tests > >> >> -------------------------------------------------------- > >> >> mvn clean install checkstyle:check spotbugs:check -DskipTests > >> >> mvn clean test -Dsurefire.rerunFailingTestsCount=2 > >> >> -DtestFailureIgnore=true -Dmaven.test.failure.ignore=true > >> >> -Dmaven.test.error.ignore=true > >> >> NOTE: use -Pfull-build to include ci tests as well > >> >> > >> >> Build and Cluster Install > >> >> -------------------------------------------------------- > >> >> Built the tarball from source code and compare that it is same as the > >> >> downloaded tarball. Apart from timestamp changes, no other changes > are > >> >> observed > >> >> mvn clean install -DskipTests > >> >> Installed the downloaded bin tarball and do some feature sanity tests > >> >> > >> >> Thanks & Regards > >> >> Arshad > >> >> > >> >> -----Original Message----- > >> >> From: Mohammad Arshad [mailto:ars...@apache.org] > >> >> Sent: Sunday, April 4, 2021 4:48 PM > >> >> To: dev@zookeeper.apache.org > >> >> Subject: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 > >> >> > >> >> This is a bug fix release candidate for 3.6.3. It contains 50 fixes. > >> >> > >> >> The full release notes is available at: > >> >> > >> >> > >> >> > >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12348703 > >> >> > >> >> *** Please download, test and vote by Wednesday, April 7th 2021, > 23:59 > >> >> UTC+0. *** > >> >> > >> >> Source and binary files: > >> >> https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/ > >> >> > >> >> Maven staging repo: > >> >> > >> > https://repository.apache.org/content/repositories/orgapachezookeeper-1070 > >> >> > >> >> The release candidate tag in git to be voted upon: release-3.6.3-1 > >> >> https://github.com/apache/zookeeper/tree/release-3.6.3-1 > >> >> > >> >> ZooKeeper's KEYS file containing PGP keys we use to sign the release: > >> >> https://www.apache.org/dist/zookeeper/KEYS > >> >> > >> >> The staging version of the website is: > >> >> > https://people.apache.org/~arshad/zookeeper-3.6.3-candidate-1/website/ > >> >> > >> >> *Should we release this candidate?* > >> >> > >> >> Thanks & Regards > >> >> Arshad > >> >> > >> > >> >
