On Fri, Feb 4, 2022 at 2:29 PM Enrico Olivelli <eolive...@gmail.com> wrote:
> Il Ven 4 Feb 2022, 19:27 Patrick Hunt <ph...@apache.org> ha scritto: > > > The branches, including 3.8.0, are still failing the owasp check due to > > netty-tcnative > > > > > https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/branch-3.8.0/3/console > > I see this jira was closed: > > https://issues.apache.org/jira/browse/ZOOKEEPER-4462 > > and I can't find any other - what's the plan on addressing this? I'm not > > familiar with this dependency, has anyone dug into this? > > > > I am sorry. > I saw the jenkins job and I did not report it to the list. > > No worries at all Enrico, appreciate your efforts. > I closed the issue without adding the exclusion. > > I checked some of those CVEs, and they seem to be not directly related to > that version in particular. > > I have upgraded to the latest version that is available. > > Also I think that we are not using that library directly as we are not > using Netty native TLS support. We should include the Netty Boring SSL > library and activate time. > > We should add the exclusion. > > I believe that the release candidate is safe > > Thanks for reporting this > > NP. I also see a number of JIRA that are now invalid, iiuc. Could you review/close/address as appropriate? They are all relative to netty CVE in ZK: https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20and%20resolution%20%3D%20unresolved%20and%20summary%20~%20%22netty%20cve*%22%20ORDER%20BY%20created%20DESC Thanks! Patrick > Enrico > > > > > *23:07:49* One or more dependencies were identified with known > > vulnerabilities in Apache ZooKeeper - Server:*23:07:49* *23:07:49* > > netty-tcnative-2.0.48.Final.jar > > (pkg:maven/io.netty/netty-tcnative@2.0.48.Final, > > cpe:2.3:a:netty:netty:2.0.48:*:*:*:*:*:*:*) : CVE-2014-3488, > > CVE-2015-2156, CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, > > CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, > > CVE-2021-37137, CVE-2021-43797 > > > > > > > > Patrick > > > > On Mon, Jan 31, 2022 at 4:22 AM Enrico Olivelli <eolive...@gmail.com> > > wrote: > > > > > updates.. > > > I am still waiting for CI on this Netty TCNative upgrade, that has a > CVE > > > report > > > https://github.com/apache/zookeeper/pull/1810 > > > > > > it also needs a reviewer please > > > > > > Enrico > > > > > > Il giorno lun 31 gen 2022 alle ore 11:33 Enrico Olivelli > > > <eolive...@gmail.com> ha scritto: > > > > > > > > Andor, > > > > sorry, I misunderstood your question. > > > > > > > > Yes, we must name it 3.8.0 due to Lockback > > > > > > > > Enrico > > > > > > > > Il giorno lun 31 gen 2022 alle ore 11:24 Enrico Olivelli > > > > <eolive...@gmail.com> ha scritto: > > > > > > > > > > Il giorno lun 31 gen 2022 alle ore 10:49 Andor Molnar > > > > > <an...@apache.org> ha scritto: > > > > > > > > > > > > What’s the reason for cutting a new minor release? > > > > > > The logback migration? > > > > > > > > > > > > 3.7 only has a single patch release so far: 3.7.0 > > > > > > > > > > > > Isn’t that too early? > > > > > > > > > > for 3.7.1 we have to merge the upgrades of the libraries with CVEs, > > > like Netty > > > > > and also we have the fix for the k8s users with > NettyServerConnection > > > > > factory, that is a blocker for people on k8s > > > > > > > > > > > > > > > > > Andor > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 2022. Jan 28., at 16:28, Enrico Olivelli < > eolive...@gmail.com > > > > > > wrote: > > > > > > > > > > > > > > Sure. > > > > > > > > > > > > > > Il giorno ven 28 gen 2022 alle ore 14:19 Szalay-Bekő Máté > > > > > > > <szalay.beko.m...@gmail.com> ha scritto: > > > > > > >> > > > > > > >> Great news, thanks for the work, Enrico!! > > > > > > >> > > > > > > >> I think we should wait for > > > https://github.com/apache/zookeeper/pull/1807 ( > > > > > > >> https://issues.apache.org/jira/browse/ZOOKEEPER-4461) so that > > we > > > can > > > > > > >> eliminate all references for log4j1 from our pom.xml files. > What > > > do > > > > > > >> you think? > > > > > > > > > > > > > > good catch > > > > > > > > > > > > > > the patch looks good, let's commit it as soon as CI passes > > > > > > > > > > > > > > Enrico > > > > > > > > > > > > > >> > > > > > > >> Regards, > > > > > > >> Máté > > > > > > >> > > > > > > >> > > > > > > >> On Fri, Jan 28, 2022 at 5:24 AM Chris Nauroth < > > cnaur...@gmail.com> > > > wrote: > > > > > > >> > > > > > > >>> +1 > > > > > > >>> > > > > > > >>> Thanks for driving this, Enrico! > > > > > > >>> > > > > > > >>> Chris Nauroth > > > > > > >>> > > > > > > >>> > > > > > > >>> On Thu, Jan 27, 2022 at 7:08 AM Enrico Olivelli < > > > eolive...@gmail.com> > > > > > > >>> wrote: > > > > > > >>> > > > > > > >>>> Hello ZooKeepers, > > > > > > >>>> I believe that the master branch is in good shape. > > > > > > >>>> > > > > > > >>>> I would like to start the release procedure for 3.8.0. > > > > > > >>>> > > > > > > >>>> This is the list of issues for 3.8.0 > > > > > > >>>> > > > > > > >>>> > > > > > > >>> > > > > > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20ZOOKEEPER%20AND%20fixVersion%20%3D%203.8.0 > > > > > > >>>> > > > > > > >>>> We recently addressed all of the CVEs by updating some key > > > > > > >>>> dependencies, like Netty, and moving away from Log4j1 (we > > > switched to > > > > > > >>>> LogBack) > > > > > > >>>> > > > > > > >>>> If no one has objections I will start the release procedure > on > > > Monday > > > > > > >>>> > > > > > > >>>> Regards > > > > > > >>>> > > > > > > >>>> Enrico > > > > > > >>>> > > > > > > >>> > > > > > > > > > > > >