The branches, including 3.8.0, are still failing the owasp check due to netty-tcnative https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/branch-3.8.0/3/console I see this jira was closed: https://issues.apache.org/jira/browse/ZOOKEEPER-4462 and I can't find any other - what's the plan on addressing this? I'm not familiar with this dependency, has anyone dug into this?
*23:07:49* One or more dependencies were identified with known vulnerabilities in Apache ZooKeeper - Server:*23:07:49* *23:07:49* netty-tcnative-2.0.48.Final.jar (pkg:maven/io.netty/netty-tcnative@2.0.48.Final, cpe:2.3:a:netty:netty:2.0.48:*:*:*:*:*:*:*) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137, CVE-2021-43797 Patrick On Mon, Jan 31, 2022 at 4:22 AM Enrico Olivelli <eolive...@gmail.com> wrote: > updates.. > I am still waiting for CI on this Netty TCNative upgrade, that has a CVE > report > https://github.com/apache/zookeeper/pull/1810 > > it also needs a reviewer please > > Enrico > > Il giorno lun 31 gen 2022 alle ore 11:33 Enrico Olivelli > <eolive...@gmail.com> ha scritto: > > > > Andor, > > sorry, I misunderstood your question. > > > > Yes, we must name it 3.8.0 due to Lockback > > > > Enrico > > > > Il giorno lun 31 gen 2022 alle ore 11:24 Enrico Olivelli > > <eolive...@gmail.com> ha scritto: > > > > > > Il giorno lun 31 gen 2022 alle ore 10:49 Andor Molnar > > > <an...@apache.org> ha scritto: > > > > > > > > What’s the reason for cutting a new minor release? > > > > The logback migration? > > > > > > > > 3.7 only has a single patch release so far: 3.7.0 > > > > > > > > Isn’t that too early? > > > > > > for 3.7.1 we have to merge the upgrades of the libraries with CVEs, > like Netty > > > and also we have the fix for the k8s users with NettyServerConnection > > > factory, that is a blocker for people on k8s > > > > > > > > > > > Andor > > > > > > > > > > > > > > > > > > > > > On 2022. Jan 28., at 16:28, Enrico Olivelli <eolive...@gmail.com> > wrote: > > > > > > > > > > Sure. > > > > > > > > > > Il giorno ven 28 gen 2022 alle ore 14:19 Szalay-Bekő Máté > > > > > <szalay.beko.m...@gmail.com> ha scritto: > > > > >> > > > > >> Great news, thanks for the work, Enrico!! > > > > >> > > > > >> I think we should wait for > https://github.com/apache/zookeeper/pull/1807 ( > > > > >> https://issues.apache.org/jira/browse/ZOOKEEPER-4461) so that we > can > > > > >> eliminate all references for log4j1 from our pom.xml files. What > do > > > > >> you think? > > > > > > > > > > good catch > > > > > > > > > > the patch looks good, let's commit it as soon as CI passes > > > > > > > > > > Enrico > > > > > > > > > >> > > > > >> Regards, > > > > >> Máté > > > > >> > > > > >> > > > > >> On Fri, Jan 28, 2022 at 5:24 AM Chris Nauroth <cnaur...@gmail.com> > wrote: > > > > >> > > > > >>> +1 > > > > >>> > > > > >>> Thanks for driving this, Enrico! > > > > >>> > > > > >>> Chris Nauroth > > > > >>> > > > > >>> > > > > >>> On Thu, Jan 27, 2022 at 7:08 AM Enrico Olivelli < > eolive...@gmail.com> > > > > >>> wrote: > > > > >>> > > > > >>>> Hello ZooKeepers, > > > > >>>> I believe that the master branch is in good shape. > > > > >>>> > > > > >>>> I would like to start the release procedure for 3.8.0. > > > > >>>> > > > > >>>> This is the list of issues for 3.8.0 > > > > >>>> > > > > >>>> > > > > >>> > https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20AND%20fixVersion%20%3D%203.8.0 > > > > >>>> > > > > >>>> We recently addressed all of the CVEs by updating some key > > > > >>>> dependencies, like Netty, and moving away from Log4j1 (we > switched to > > > > >>>> LogBack) > > > > >>>> > > > > >>>> If no one has objections I will start the release procedure on > Monday > > > > >>>> > > > > >>>> Regards > > > > >>>> > > > > >>>> Enrico > > > > >>>> > > > > >>> > > > > >
