Is slf4j really needed for security? Only cve I see here is from 2018... https://www.slf4j.org/news.html
Should we revert the slf4j change in its entirety/all branches until it can be made in a b/w compatible way? Patrick On Wed, Aug 6, 2025 at 2:59 PM Andor Molnar <[email protected]> wrote: > Maybe the slf4j upgrade (1.7.30 -> 2.0.13) has higher impact, because it’s > a major upgrade. Logback is just an example of how to do logging with > ZooKeeper real life setups probably replace it with something else like > log4j2. The logging facade (slf4j) could have bw incompatible changes that > will force users to make changes related to logging on their classpath. > > I’m speculating and haven’t checked slf4j for details. > > Andor > > > > > On Aug 6, 2025, at 16:46, Patrick Hunt <[email protected]> wrote: > > > > Is the only problem the minor "semantic" upgrade of logback in a fix > > release of zk? That should be stable (contract wise) on the dependency, > > right? Or is there some real impact, eg b/w incompat change visible to ZK > > users? If the former that seems fine, if the latter then we have a harder > > problem to address. (security issue breaking b/w compat) > > > > Patrick > > > > On Wed, Aug 6, 2025 at 2:36 PM Andor Molnar <[email protected]> wrote: > > > >> Sorry for the confusion, I picked 3.8 as an example, but logback/slf4j > >> upgrades haven’t been backported to 3.9 either. Therefore I created the > >> following backport PR: > >> > >> https://github.com/apache/zookeeper/pull/2290 > >> > >> > >>> "Why would they be applied to master and not to any active (release) > >> line? > >> > >> Since we’ve already released 3.9.3 with logback 1.2.13 and don’t want > >> users to realize 1.2->1.3 logback upgrade in a 3.9.3->3.9.4 ZooKeeper > >> upgrade process, although this upgrade is necessary anyways to address > the > >> CVE in question. > >> > >> (in my understanding) > >> > >> Andor > >> > >> > >> > >> > >>> On Aug 6, 2025, at 15:34, Patrick Hunt <[email protected]> wrote: > >>> > >>> I'm confused - this thread started with "OWASP reports CVEs on the 3.8 > >>> branch and noticed in the PRs that we should only upgrade logback on > the > >>> master branch" - I read that as "some fixes on 3.9 are not backported > to > >>> 3.8". But you are saying that this is not fixed (still owasp warnings) > on > >>> 3.9 which is separate from master? Why would they be applied to master > >> and > >>> not to any active (release) line? What is the impact of the changes on > >>> master and 3.9? iiuc there are backward incompatible changes if applied > >> to > >>> 3.8? There should not be b/w incompatible changes applied to any 3.x > >> (incl > >>> master, a future 3.x...) release. > >>> > >>> Patrick > >>> > >>> On Wed, Aug 6, 2025 at 1:16 PM Andor Molnar <[email protected]> wrote: > >>> > >>>> Yeah, that would remove the burden of maintaining the 3.8 version > line, > >>>> but 3.9.x versions still don’t have logback and slf4j upgraded, still > >>>> flagged by the Owasp build and users will probably still complain > about > >>>> CVEs. > >>>> > >>>> My question is what should we do on branches other than the master? > >>>> > >>>> 1. Backport logback and slf4j upgrades from master, or > >>>> 2. Add Owasp suppression rule to skip checking these libraries > >> completely. > >>>> > >>>> I need to answer this question before going forward with the 3.9.4 > >> release. > >>>> > >>>> Regards, > >>>> Andor > >>>> > >>>> > >>>> > >>>>> On Aug 6, 2025, at 13:39, Christopher <[email protected]> wrote: > >>>>> > >>>>> +1 to that idea. > >>>>> > >>>>> The releases page[1] says "Apache ZooKeeper 3.9.3 is our current > >>>>> release, and 3.8.4 our latest stable release". Is 3.9 sufficiently > >>>>> stable to replace 3.8 as the current "stable"? If the answer is yes, > >>>>> then I think it makes sense to EOL 3.8. > >>>>> > >>>>> [1]: https://zookeeper.apache.org/releases.html#download > >>>>> > >>>>> On Mon, Aug 4, 2025 at 2:52 PM Patrick Hunt <[email protected]> > wrote: > >>>>>> > >>>>>> Should we sunset that minor release due to the "unfixable" security > >>>> issue > >>>>>> and EOL of dependenc(ies)? > >>>>>> > >>>>>> Patrick > >>>>>> > >>>>>> On Mon, Aug 4, 2025 at 10:03 AM Andor Molnar <[email protected]> > >> wrote: > >>>>>> > >>>>>>> Yeah, I agree with that, but we can’t leave things here just like > >> that. > >>>>>>> Either we should keep updating the logging libraries on all active > >>>> branches > >>>>>>> or add the necessary suppression to Owasp. Otherwise the report > >> result > >>>> will > >>>>>>> be completely meaningless. > >>>>>>> > >>>>>>> Andor > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> On Aug 4, 2025, at 08:21, Christopher <[email protected]> > wrote: > >>>>>>>> > >>>>>>>> Yes, that is basically my concern. I commented at > >>>>>>>> > >> https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665 > >>>>>>>> > >>>>>>>> On Fri, Aug 1, 2025, 18:43 Andor Molnar <[email protected]> wrote: > >>>>>>>> > >>>>>>>>> Christopher raised concern about it in > >>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>> > >> > https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 > >>>>>>>>> > >>>>>>>>> I suspect because SLF4j has to be major upgraded with logback 1.x > >> -> > >>>> 2.x > >>>>>>>>> which should not be done in bugfix releases. > >>>>>>>>> > >>>>>>>>> I’m not sure. Maybe we should just add another Owasp suppression, > >> but > >>>>>>> that > >>>>>>>>> wouldn’t be appropriate either. > >>>>>>>>> > >>>>>>>>> Andor > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>> On Jul 30, 2025, at 18:39, Andor Molnar <[email protected]> > wrote: > >>>>>>>>>> > >>>>>>>>>> That’s my understanding too, but looks like folks skipped even > the > >>>> 3.9 > >>>>>>>>> backport in the case of logback. > >>>>>>>>>> > >>>>>>>>>> Andor > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> On Jul 30, 2025, at 16:36, Patrick Hunt <[email protected]> > >> wrote: > >>>>>>>>>>> > >>>>>>>>>>> My understanding, I thought the rule was to backport any patch > to > >>>> all > >>>>>>> of > >>>>>>>>>>> the active releases unless it's a new feature. Perhaps ask the > >>>> folks > >>>>>>> who > >>>>>>>>>>> committed? > >>>>>>>>>>> > >>>>>>>>>>> Patrick > >>>>>>>>>>> > >>>>>>>>>>> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <[email protected] > > > >>>>>>> wrote: > >>>>>>>>>>> > >>>>>>>>>>>> Hi folks, > >>>>>>>>>>>> > >>>>>>>>>>>> Currently I’m working on some backports, because OWASP reports > >>>> CVEs > >>>>>>> on > >>>>>>>>> the > >>>>>>>>>>>> 3.8 branch and noticed in the PRs that we should only upgrade > >>>> logback > >>>>>>>>> on > >>>>>>>>>>>> the master branch. Why is that? > >>>>>>>>>>>> > >>>>>>>>>>>> logback-core-1.2.13.jar > >>>> (pkg:maven/ch.qos.logback/[email protected] > >>>>>>> , > >>>>>>>>>>>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, > >>>>>>>>> CVE-2024-12801 > >>>>>>>>>>>> > >>>>>>>>>>>> Regards, > >>>>>>>>>>>> Andor > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>>>> > >>>> > >>>> > >> > >> > >
