Il Ven 4 Feb 2022, 19:27 Patrick Hunt <ph...@apache.org> ha scritto: > The branches, including 3.8.0, are still failing the owasp check due to > netty-tcnative > > https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/branch-3.8.0/3/console > I see this jira was closed: > https://issues.apache.org/jira/browse/ZOOKEEPER-4462 > and I can't find any other - what's the plan on addressing this? I'm not > familiar with this dependency, has anyone dug into this? >
I am sorry. I saw the jenkins job and I did not report it to the list. I closed the issue without adding the exclusion. I checked some of those CVEs, and they seem to be not directly related to that version in particular. I have upgraded to the latest version that is available. Also I think that we are not using that library directly as we are not using Netty native TLS support. We should include the Netty Boring SSL library and activate time. We should add the exclusion. I believe that the release candidate is safe Thanks for reporting this Enrico > > *23:07:49* One or more dependencies were identified with known > vulnerabilities in Apache ZooKeeper - Server:*23:07:49* *23:07:49* > netty-tcnative-2.0.48.Final.jar > (pkg:maven/io.netty/netty-tcnative@2.0.48.Final, > cpe:2.3:a:netty:netty:2.0.48:*:*:*:*:*:*:*) : CVE-2014-3488, > CVE-2015-2156, CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, > CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, > CVE-2021-37137, CVE-2021-43797 > > > > Patrick > > On Mon, Jan 31, 2022 at 4:22 AM Enrico Olivelli <eolive...@gmail.com> > wrote: > > > updates.. > > I am still waiting for CI on this Netty TCNative upgrade, that has a CVE > > report > > https://github.com/apache/zookeeper/pull/1810 > > > > it also needs a reviewer please > > > > Enrico > > > > Il giorno lun 31 gen 2022 alle ore 11:33 Enrico Olivelli > > <eolive...@gmail.com> ha scritto: > > > > > > Andor, > > > sorry, I misunderstood your question. > > > > > > Yes, we must name it 3.8.0 due to Lockback > > > > > > Enrico > > > > > > Il giorno lun 31 gen 2022 alle ore 11:24 Enrico Olivelli > > > <eolive...@gmail.com> ha scritto: > > > > > > > > Il giorno lun 31 gen 2022 alle ore 10:49 Andor Molnar > > > > <an...@apache.org> ha scritto: > > > > > > > > > > What’s the reason for cutting a new minor release? > > > > > The logback migration? > > > > > > > > > > 3.7 only has a single patch release so far: 3.7.0 > > > > > > > > > > Isn’t that too early? > > > > > > > > for 3.7.1 we have to merge the upgrades of the libraries with CVEs, > > like Netty > > > > and also we have the fix for the k8s users with NettyServerConnection > > > > factory, that is a blocker for people on k8s > > > > > > > > > > > > > > Andor > > > > > > > > > > > > > > > > > > > > > > > > > > On 2022. Jan 28., at 16:28, Enrico Olivelli <eolive...@gmail.com > > > > wrote: > > > > > > > > > > > > Sure. > > > > > > > > > > > > Il giorno ven 28 gen 2022 alle ore 14:19 Szalay-Bekő Máté > > > > > > <szalay.beko.m...@gmail.com> ha scritto: > > > > > >> > > > > > >> Great news, thanks for the work, Enrico!! > > > > > >> > > > > > >> I think we should wait for > > https://github.com/apache/zookeeper/pull/1807 ( > > > > > >> https://issues.apache.org/jira/browse/ZOOKEEPER-4461) so that > we > > can > > > > > >> eliminate all references for log4j1 from our pom.xml files. What > > do > > > > > >> you think? > > > > > > > > > > > > good catch > > > > > > > > > > > > the patch looks good, let's commit it as soon as CI passes > > > > > > > > > > > > Enrico > > > > > > > > > > > >> > > > > > >> Regards, > > > > > >> Máté > > > > > >> > > > > > >> > > > > > >> On Fri, Jan 28, 2022 at 5:24 AM Chris Nauroth < > cnaur...@gmail.com> > > wrote: > > > > > >> > > > > > >>> +1 > > > > > >>> > > > > > >>> Thanks for driving this, Enrico! > > > > > >>> > > > > > >>> Chris Nauroth > > > > > >>> > > > > > >>> > > > > > >>> On Thu, Jan 27, 2022 at 7:08 AM Enrico Olivelli < > > eolive...@gmail.com> > > > > > >>> wrote: > > > > > >>> > > > > > >>>> Hello ZooKeepers, > > > > > >>>> I believe that the master branch is in good shape. > > > > > >>>> > > > > > >>>> I would like to start the release procedure for 3.8.0. > > > > > >>>> > > > > > >>>> This is the list of issues for 3.8.0 > > > > > >>>> > > > > > >>>> > > > > > >>> > > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20AND%20fixVersion%20%3D%203.8.0 > > > > > >>>> > > > > > >>>> We recently addressed all of the CVEs by updating some key > > > > > >>>> dependencies, like Netty, and moving away from Log4j1 (we > > switched to > > > > > >>>> LogBack) > > > > > >>>> > > > > > >>>> If no one has objections I will start the release procedure on > > Monday > > > > > >>>> > > > > > >>>> Regards > > > > > >>>> > > > > > >>>> Enrico > > > > > >>>> > > > > > >>> > > > > > > > >
