[VOTE] Apache ZooKeeper release 3.5.6 candidate 1

[Enrico Olivelli <eo...@gmail.com>]

This is a bugfix release candidate for 3.5.6.

It fixes 27 issues, including upgrade of third party libraries,
TTL Node APIs for C API, support for PCKS12 Keystores, and better procedure
for the upgrade of servers from 3.4 to 3.5.

The full release notes is available at:

https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243

*** Please download, test and vote by September 23th 2019, 23:59 UTC+0. ***

Source files:
https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1

Maven staging repo:
https://repository.apache.org/content/repositories/orgapachezookeeper-1041/

The release candidate tag in git to be voted upon: release-3.5.6-rc1
https://github.com/apache/zookeeper/tree/release-3.5.6-rc1

ZooKeeper's KEYS file containing PGP keys we use to sign the release:
https://www.apache.org/dist/zookeeper/KEYS

Should we release this candidate?

Enrico Olivelli

Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1

[Enrico Olivelli <eo...@gmail.com>]

FYI
I have sent a new RC, please check the new VOTE thread

Enrico

Il giorno ven 27 set 2019 alle ore 13:22 Norbert Kalmar
<nk...@cloudera.com.invalid> ha scritto:

> Jackson patch merged to master, 3.5 and 3.5.6
>
> Regards,
> Norbert
>
> On Thu, Sep 26, 2019 at 10:42 PM Patrick Hunt <ph...@apache.org> wrote:
>
> > Github just bought semmle and is offering "automated security fixes" -
> > should we turn this github feature on and give it a try?
> >
> > https://help.github.com/en/articles/configuring-automated-security-fixes
> >
> > Patrick
> >
> >
> > On Thu, Sep 26, 2019 at 2:32 PM Enrico Olivelli <eo...@gmail.com>
> > wrote:
> >
> > > I am cancelling the vote now.
> > >
> > > There is already a pending PR for the upgrade
> > >
> > > I have approved it, it needs a second +1
> > >
> > > Please take a look and merge
> > >
> > >
> > > Enrico
> > >
> > > Il gio 26 set 2019, 20:16 Andor Molnar <an...@apache.org> ha scritto:
> > >
> > > > Sorry I was busy with company work and didn’t have much time for
> > > > ZooKeeper. I was not sure about whether I have to -1 because of those
> > new
> > > > CVEs, but if we can upgrade relatively quickly (bumping version
> > numbers),
> > > > then I think we should do it even if the problem doesn’t affect us
> > > > directly. (owasp build will be red anyways)
> > > >
> > > > Enrico, how much effort would be to upgrade Jackson libs again?
> > > >
> > > > Sorry about that.
> > > >
> > > > Andor
> > > >
> > > >
> > > >
> > > >
> > > > > On 2019. Sep 26., at 17:38, Patrick Hunt <ph...@apache.org> wrote:
> > > > >
> > > > > On Thu, Sep 26, 2019 at 3:50 AM Enrico Olivelli <
> eolivelli@gmail.com
> > >
> > > > wrote:
> > > > >
> > > > >> Hi folks,
> > > > >> all the community is invited to test this release candidate
> > > > >>
> > > > >> and we need at least three binding VOTEs
> > > > >>
> > > > >>
> > > > > After seeing Andor's feedback I was waiting for the new RC to be
> cut.
> > > > (also
> > > > > FYI Strata this week) Given we release relatively infrequently it
> > > seemed
> > > > a
> > > > > better idea to spend an additional few days knocking this one down
> so
> > > > it's
> > > > > not an open question going forward. If folks disagree please state
> as
> > > > such
> > > > > as I'd rather not spend the time reviewing again just to have to
> > review
> > > > > another RC.
> > > > >
> > > > > Patrick
> > > > >
> > > > >
> > > > >
> > > > >> Best regards
> > > > >> Enrico
> > > > >>
> > > > >> Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli <
> > > > >> eolivelli@gmail.com> ha scritto:
> > > > >>
> > > > >>> Links to the details:
> > > > >>> https://github.com/FasterXML/jackson-databind/issues/2449
> > > > >>> https://github.com/FasterXML/jackson-databind/issues/2449
> > > > >>>
> > > > >>> @Andor Molnár <an...@apache.org>  is it a -1 from your side ?
> > > > >>>
> > > > >>> The rush for 3.5.6 is more about delivering a version of ZK
> without
> > > the
> > > > >>> security issues reported for Jackson Databind, so it may make
> sense
> > > to
> > > > >>> cancel this vote (but I am not doing it actually)
> > > > >>> Btw we can't follow the fast pace of DataBind and CVEs
> > > > >>>
> > > > >>> This is interesting
> > > > >>>
> > > > >>>
> > > > >>
> > > >
> > >
> >
> https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
> > > > >>>
> > > > >>>
> > > > >>> As we are not affected but the issues above I suggest to move
> > forward
> > > > >> with
> > > > >>> the current tag
> > > > >>>
> > > > >>>
> > > > >>>
> > > > >>> Enrico
> > > > >>>
> > > > >>> Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar
> > > > >>> <nk...@cloudera.com.invalid> ha scritto:
> > > > >>>
> > > > >>>> These CVE's do no affect ZooKeeper, both is related to Hikari
> > which
> > > is
> > > > >> not
> > > > >>>> used at all by ZooKeeper. (It's a JDBC connection pooling
> library)
> > > > >>>>
> > > > >>>>
> > > > >>
> > > >
> > >
> >
> https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
> > > > >>>>
> > > > >>>>
> > > > >>>> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <an...@apache.org>
> > > > wrote:
> > > > >>>>
> > > > >>>>> Hi Enrico!
> > > > >>>>>
> > > > >>>>> Looks like owasp is reporting 2 new issues with
> > > > >>>> jackson-databind-2.9.9.3:
> > > > >>>>>
> > > > >>>>>
> > > > >>>>>
> > > > >>>>
> > > > >>
> > > >
> > >
> >
> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html
> > > > >>>>>
> > > > >>>>> If I’m not mistaken.
> > > > >>>>>
> > > > >>>>> Andor
> > > > >>>>>
> > > > >>>>>
> > > > >>>>>
> > > > >>>>>> On 2019. Sep 20., at 22:18, Enrico Olivelli <
> > eolivelli@gmail.com>
> > > > >>>> wrote:
> > > > >>>>>>
> > > > >>>>>> This is a bugfix release candidate for 3.5.6.
> > > > >>>>>>
> > > > >>>>>> It fixes 27 issues, including upgrade of third party
> libraries,
> > > > >>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and
> > better
> > > > >>>>> procedure
> > > > >>>>>> for the upgrade of servers from 3.4 to 3.5.
> > > > >>>>>>
> > > > >>>>>> The full release notes is available at:
> > > > >>>>>>
> > > > >>>>>>
> > > > >>>>>
> > > > >>>>
> > > > >>
> > > >
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> > > > >>>>>>
> > > > >>>>>> *** Please download, test and vote by September 23th 2019,
> 23:59
> > > > >>>> UTC+0.
> > > > >>>>> ***
> > > > >>>>>>
> > > > >>>>>> Source files:
> > > > >>>>>>
> > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
> > > > >>>>>>
> > > > >>>>>> Maven staging repo:
> > > > >>>>>>
> > > > >>>>>
> > > > >>>>
> > > > >>
> > > >
> > >
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
> > > > >>>>>>
> > > > >>>>>> The release candidate tag in git to be voted upon:
> > > release-3.5.6-rc1
> > > > >>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
> > > > >>>>>>
> > > > >>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
> > > > >> release:
> > > > >>>>>> https://www.apache.org/dist/zookeeper/KEYS
> > > > >>>>>>
> > > > >>>>>> Should we release this candidate?
> > > > >>>>>>
> > > > >>>>>> Enrico Olivelli
> > > > >>>>>
> > > > >>>>>
> > > > >>>>
> > > > >>>
> > > > >>
> > > >
> > > >
> > >
> >
>

Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1

[Norbert Kalmar <nk...@cloudera.com.INVALID>]

Jackson patch merged to master, 3.5 and 3.5.6

Regards,
Norbert

On Thu, Sep 26, 2019 at 10:42 PM Patrick Hunt <ph...@apache.org> wrote:

> Github just bought semmle and is offering "automated security fixes" -
> should we turn this github feature on and give it a try?
>
> https://help.github.com/en/articles/configuring-automated-security-fixes
>
> Patrick
>
>
> On Thu, Sep 26, 2019 at 2:32 PM Enrico Olivelli <eo...@gmail.com>
> wrote:
>
> > I am cancelling the vote now.
> >
> > There is already a pending PR for the upgrade
> >
> > I have approved it, it needs a second +1
> >
> > Please take a look and merge
> >
> >
> > Enrico
> >
> > Il gio 26 set 2019, 20:16 Andor Molnar <an...@apache.org> ha scritto:
> >
> > > Sorry I was busy with company work and didn’t have much time for
> > > ZooKeeper. I was not sure about whether I have to -1 because of those
> new
> > > CVEs, but if we can upgrade relatively quickly (bumping version
> numbers),
> > > then I think we should do it even if the problem doesn’t affect us
> > > directly. (owasp build will be red anyways)
> > >
> > > Enrico, how much effort would be to upgrade Jackson libs again?
> > >
> > > Sorry about that.
> > >
> > > Andor
> > >
> > >
> > >
> > >
> > > > On 2019. Sep 26., at 17:38, Patrick Hunt <ph...@apache.org> wrote:
> > > >
> > > > On Thu, Sep 26, 2019 at 3:50 AM Enrico Olivelli <eolivelli@gmail.com
> >
> > > wrote:
> > > >
> > > >> Hi folks,
> > > >> all the community is invited to test this release candidate
> > > >>
> > > >> and we need at least three binding VOTEs
> > > >>
> > > >>
> > > > After seeing Andor's feedback I was waiting for the new RC to be cut.
> > > (also
> > > > FYI Strata this week) Given we release relatively infrequently it
> > seemed
> > > a
> > > > better idea to spend an additional few days knocking this one down so
> > > it's
> > > > not an open question going forward. If folks disagree please state as
> > > such
> > > > as I'd rather not spend the time reviewing again just to have to
> review
> > > > another RC.
> > > >
> > > > Patrick
> > > >
> > > >
> > > >
> > > >> Best regards
> > > >> Enrico
> > > >>
> > > >> Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli <
> > > >> eolivelli@gmail.com> ha scritto:
> > > >>
> > > >>> Links to the details:
> > > >>> https://github.com/FasterXML/jackson-databind/issues/2449
> > > >>> https://github.com/FasterXML/jackson-databind/issues/2449
> > > >>>
> > > >>> @Andor Molnár <an...@apache.org>  is it a -1 from your side ?
> > > >>>
> > > >>> The rush for 3.5.6 is more about delivering a version of ZK without
> > the
> > > >>> security issues reported for Jackson Databind, so it may make sense
> > to
> > > >>> cancel this vote (but I am not doing it actually)
> > > >>> Btw we can't follow the fast pace of DataBind and CVEs
> > > >>>
> > > >>> This is interesting
> > > >>>
> > > >>>
> > > >>
> > >
> >
> https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
> > > >>>
> > > >>>
> > > >>> As we are not affected but the issues above I suggest to move
> forward
> > > >> with
> > > >>> the current tag
> > > >>>
> > > >>>
> > > >>>
> > > >>> Enrico
> > > >>>
> > > >>> Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar
> > > >>> <nk...@cloudera.com.invalid> ha scritto:
> > > >>>
> > > >>>> These CVE's do no affect ZooKeeper, both is related to Hikari
> which
> > is
> > > >> not
> > > >>>> used at all by ZooKeeper. (It's a JDBC connection pooling library)
> > > >>>>
> > > >>>>
> > > >>
> > >
> >
> https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
> > > >>>>
> > > >>>>
> > > >>>> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <an...@apache.org>
> > > wrote:
> > > >>>>
> > > >>>>> Hi Enrico!
> > > >>>>>
> > > >>>>> Looks like owasp is reporting 2 new issues with
> > > >>>> jackson-databind-2.9.9.3:
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>
> > > >>
> > >
> >
> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html
> > > >>>>>
> > > >>>>> If I’m not mistaken.
> > > >>>>>
> > > >>>>> Andor
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>> On 2019. Sep 20., at 22:18, Enrico Olivelli <
> eolivelli@gmail.com>
> > > >>>> wrote:
> > > >>>>>>
> > > >>>>>> This is a bugfix release candidate for 3.5.6.
> > > >>>>>>
> > > >>>>>> It fixes 27 issues, including upgrade of third party libraries,
> > > >>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and
> better
> > > >>>>> procedure
> > > >>>>>> for the upgrade of servers from 3.4 to 3.5.
> > > >>>>>>
> > > >>>>>> The full release notes is available at:
> > > >>>>>>
> > > >>>>>>
> > > >>>>>
> > > >>>>
> > > >>
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> > > >>>>>>
> > > >>>>>> *** Please download, test and vote by September 23th 2019, 23:59
> > > >>>> UTC+0.
> > > >>>>> ***
> > > >>>>>>
> > > >>>>>> Source files:
> > > >>>>>>
> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
> > > >>>>>>
> > > >>>>>> Maven staging repo:
> > > >>>>>>
> > > >>>>>
> > > >>>>
> > > >>
> > >
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
> > > >>>>>>
> > > >>>>>> The release candidate tag in git to be voted upon:
> > release-3.5.6-rc1
> > > >>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
> > > >>>>>>
> > > >>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
> > > >> release:
> > > >>>>>> https://www.apache.org/dist/zookeeper/KEYS
> > > >>>>>>
> > > >>>>>> Should we release this candidate?
> > > >>>>>>
> > > >>>>>> Enrico Olivelli
> > > >>>>>
> > > >>>>>
> > > >>>>
> > > >>>
> > > >>
> > >
> > >
> >
>

Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1

[Patrick Hunt <ph...@apache.org>]

Github just bought semmle and is offering "automated security fixes" -
should we turn this github feature on and give it a try?

https://help.github.com/en/articles/configuring-automated-security-fixes

Patrick


On Thu, Sep 26, 2019 at 2:32 PM Enrico Olivelli <eo...@gmail.com> wrote:

> I am cancelling the vote now.
>
> There is already a pending PR for the upgrade
>
> I have approved it, it needs a second +1
>
> Please take a look and merge
>
>
> Enrico
>
> Il gio 26 set 2019, 20:16 Andor Molnar <an...@apache.org> ha scritto:
>
> > Sorry I was busy with company work and didn’t have much time for
> > ZooKeeper. I was not sure about whether I have to -1 because of those new
> > CVEs, but if we can upgrade relatively quickly (bumping version numbers),
> > then I think we should do it even if the problem doesn’t affect us
> > directly. (owasp build will be red anyways)
> >
> > Enrico, how much effort would be to upgrade Jackson libs again?
> >
> > Sorry about that.
> >
> > Andor
> >
> >
> >
> >
> > > On 2019. Sep 26., at 17:38, Patrick Hunt <ph...@apache.org> wrote:
> > >
> > > On Thu, Sep 26, 2019 at 3:50 AM Enrico Olivelli <eo...@gmail.com>
> > wrote:
> > >
> > >> Hi folks,
> > >> all the community is invited to test this release candidate
> > >>
> > >> and we need at least three binding VOTEs
> > >>
> > >>
> > > After seeing Andor's feedback I was waiting for the new RC to be cut.
> > (also
> > > FYI Strata this week) Given we release relatively infrequently it
> seemed
> > a
> > > better idea to spend an additional few days knocking this one down so
> > it's
> > > not an open question going forward. If folks disagree please state as
> > such
> > > as I'd rather not spend the time reviewing again just to have to review
> > > another RC.
> > >
> > > Patrick
> > >
> > >
> > >
> > >> Best regards
> > >> Enrico
> > >>
> > >> Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli <
> > >> eolivelli@gmail.com> ha scritto:
> > >>
> > >>> Links to the details:
> > >>> https://github.com/FasterXML/jackson-databind/issues/2449
> > >>> https://github.com/FasterXML/jackson-databind/issues/2449
> > >>>
> > >>> @Andor Molnár <an...@apache.org>  is it a -1 from your side ?
> > >>>
> > >>> The rush for 3.5.6 is more about delivering a version of ZK without
> the
> > >>> security issues reported for Jackson Databind, so it may make sense
> to
> > >>> cancel this vote (but I am not doing it actually)
> > >>> Btw we can't follow the fast pace of DataBind and CVEs
> > >>>
> > >>> This is interesting
> > >>>
> > >>>
> > >>
> >
> https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
> > >>>
> > >>>
> > >>> As we are not affected but the issues above I suggest to move forward
> > >> with
> > >>> the current tag
> > >>>
> > >>>
> > >>>
> > >>> Enrico
> > >>>
> > >>> Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar
> > >>> <nk...@cloudera.com.invalid> ha scritto:
> > >>>
> > >>>> These CVE's do no affect ZooKeeper, both is related to Hikari which
> is
> > >> not
> > >>>> used at all by ZooKeeper. (It's a JDBC connection pooling library)
> > >>>>
> > >>>>
> > >>
> >
> https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
> > >>>>
> > >>>>
> > >>>> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <an...@apache.org>
> > wrote:
> > >>>>
> > >>>>> Hi Enrico!
> > >>>>>
> > >>>>> Looks like owasp is reporting 2 new issues with
> > >>>> jackson-databind-2.9.9.3:
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>
> > >>
> >
> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html
> > >>>>>
> > >>>>> If I’m not mistaken.
> > >>>>>
> > >>>>> Andor
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>> On 2019. Sep 20., at 22:18, Enrico Olivelli <eo...@gmail.com>
> > >>>> wrote:
> > >>>>>>
> > >>>>>> This is a bugfix release candidate for 3.5.6.
> > >>>>>>
> > >>>>>> It fixes 27 issues, including upgrade of third party libraries,
> > >>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better
> > >>>>> procedure
> > >>>>>> for the upgrade of servers from 3.4 to 3.5.
> > >>>>>>
> > >>>>>> The full release notes is available at:
> > >>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> > >>>>>>
> > >>>>>> *** Please download, test and vote by September 23th 2019, 23:59
> > >>>> UTC+0.
> > >>>>> ***
> > >>>>>>
> > >>>>>> Source files:
> > >>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
> > >>>>>>
> > >>>>>> Maven staging repo:
> > >>>>>>
> > >>>>>
> > >>>>
> > >>
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
> > >>>>>>
> > >>>>>> The release candidate tag in git to be voted upon:
> release-3.5.6-rc1
> > >>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
> > >>>>>>
> > >>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
> > >> release:
> > >>>>>> https://www.apache.org/dist/zookeeper/KEYS
> > >>>>>>
> > >>>>>> Should we release this candidate?
> > >>>>>>
> > >>>>>> Enrico Olivelli
> > >>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>
> >
> >
>

Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1

[Enrico Olivelli <eo...@gmail.com>]

I am cancelling the vote now.

There is already a pending PR for the upgrade

I have approved it, it needs a second +1

Please take a look and merge


Enrico

Il gio 26 set 2019, 20:16 Andor Molnar <an...@apache.org> ha scritto:

> Sorry I was busy with company work and didn’t have much time for
> ZooKeeper. I was not sure about whether I have to -1 because of those new
> CVEs, but if we can upgrade relatively quickly (bumping version numbers),
> then I think we should do it even if the problem doesn’t affect us
> directly. (owasp build will be red anyways)
>
> Enrico, how much effort would be to upgrade Jackson libs again?
>
> Sorry about that.
>
> Andor
>
>
>
>
> > On 2019. Sep 26., at 17:38, Patrick Hunt <ph...@apache.org> wrote:
> >
> > On Thu, Sep 26, 2019 at 3:50 AM Enrico Olivelli <eo...@gmail.com>
> wrote:
> >
> >> Hi folks,
> >> all the community is invited to test this release candidate
> >>
> >> and we need at least three binding VOTEs
> >>
> >>
> > After seeing Andor's feedback I was waiting for the new RC to be cut.
> (also
> > FYI Strata this week) Given we release relatively infrequently it seemed
> a
> > better idea to spend an additional few days knocking this one down so
> it's
> > not an open question going forward. If folks disagree please state as
> such
> > as I'd rather not spend the time reviewing again just to have to review
> > another RC.
> >
> > Patrick
> >
> >
> >
> >> Best regards
> >> Enrico
> >>
> >> Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli <
> >> eolivelli@gmail.com> ha scritto:
> >>
> >>> Links to the details:
> >>> https://github.com/FasterXML/jackson-databind/issues/2449
> >>> https://github.com/FasterXML/jackson-databind/issues/2449
> >>>
> >>> @Andor Molnár <an...@apache.org>  is it a -1 from your side ?
> >>>
> >>> The rush for 3.5.6 is more about delivering a version of ZK without the
> >>> security issues reported for Jackson Databind, so it may make sense to
> >>> cancel this vote (but I am not doing it actually)
> >>> Btw we can't follow the fast pace of DataBind and CVEs
> >>>
> >>> This is interesting
> >>>
> >>>
> >>
> https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
> >>>
> >>>
> >>> As we are not affected but the issues above I suggest to move forward
> >> with
> >>> the current tag
> >>>
> >>>
> >>>
> >>> Enrico
> >>>
> >>> Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar
> >>> <nk...@cloudera.com.invalid> ha scritto:
> >>>
> >>>> These CVE's do no affect ZooKeeper, both is related to Hikari which is
> >> not
> >>>> used at all by ZooKeeper. (It's a JDBC connection pooling library)
> >>>>
> >>>>
> >>
> https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
> >>>>
> >>>>
> >>>> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <an...@apache.org>
> wrote:
> >>>>
> >>>>> Hi Enrico!
> >>>>>
> >>>>> Looks like owasp is reporting 2 new issues with
> >>>> jackson-databind-2.9.9.3:
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>
> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html
> >>>>>
> >>>>> If I’m not mistaken.
> >>>>>
> >>>>> Andor
> >>>>>
> >>>>>
> >>>>>
> >>>>>> On 2019. Sep 20., at 22:18, Enrico Olivelli <eo...@gmail.com>
> >>>> wrote:
> >>>>>>
> >>>>>> This is a bugfix release candidate for 3.5.6.
> >>>>>>
> >>>>>> It fixes 27 issues, including upgrade of third party libraries,
> >>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better
> >>>>> procedure
> >>>>>> for the upgrade of servers from 3.4 to 3.5.
> >>>>>>
> >>>>>> The full release notes is available at:
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> >>>>>>
> >>>>>> *** Please download, test and vote by September 23th 2019, 23:59
> >>>> UTC+0.
> >>>>> ***
> >>>>>>
> >>>>>> Source files:
> >>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
> >>>>>>
> >>>>>> Maven staging repo:
> >>>>>>
> >>>>>
> >>>>
> >>
> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
> >>>>>>
> >>>>>> The release candidate tag in git to be voted upon: release-3.5.6-rc1
> >>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
> >>>>>>
> >>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
> >> release:
> >>>>>> https://www.apache.org/dist/zookeeper/KEYS
> >>>>>>
> >>>>>> Should we release this candidate?
> >>>>>>
> >>>>>> Enrico Olivelli
> >>>>>
> >>>>>
> >>>>
> >>>
> >>
>
>

Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1

[Andor Molnar <an...@apache.org>]

Sorry I was busy with company work and didn’t have much time for ZooKeeper. I was not sure about whether I have to -1 because of those new CVEs, but if we can upgrade relatively quickly (bumping version numbers), then I think we should do it even if the problem doesn’t affect us directly. (owasp build will be red anyways)

Enrico, how much effort would be to upgrade Jackson libs again?

Sorry about that.

Andor




> On 2019. Sep 26., at 17:38, Patrick Hunt <ph...@apache.org> wrote:
> 
> On Thu, Sep 26, 2019 at 3:50 AM Enrico Olivelli <eo...@gmail.com> wrote:
> 
>> Hi folks,
>> all the community is invited to test this release candidate
>> 
>> and we need at least three binding VOTEs
>> 
>> 
> After seeing Andor's feedback I was waiting for the new RC to be cut. (also
> FYI Strata this week) Given we release relatively infrequently it seemed a
> better idea to spend an additional few days knocking this one down so it's
> not an open question going forward. If folks disagree please state as such
> as I'd rather not spend the time reviewing again just to have to review
> another RC.
> 
> Patrick
> 
> 
> 
>> Best regards
>> Enrico
>> 
>> Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli <
>> eolivelli@gmail.com> ha scritto:
>> 
>>> Links to the details:
>>> https://github.com/FasterXML/jackson-databind/issues/2449
>>> https://github.com/FasterXML/jackson-databind/issues/2449
>>> 
>>> @Andor Molnár <an...@apache.org>  is it a -1 from your side ?
>>> 
>>> The rush for 3.5.6 is more about delivering a version of ZK without the
>>> security issues reported for Jackson Databind, so it may make sense to
>>> cancel this vote (but I am not doing it actually)
>>> Btw we can't follow the fast pace of DataBind and CVEs
>>> 
>>> This is interesting
>>> 
>>> 
>> https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
>>> 
>>> 
>>> As we are not affected but the issues above I suggest to move forward
>> with
>>> the current tag
>>> 
>>> 
>>> 
>>> Enrico
>>> 
>>> Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar
>>> <nk...@cloudera.com.invalid> ha scritto:
>>> 
>>>> These CVE's do no affect ZooKeeper, both is related to Hikari which is
>> not
>>>> used at all by ZooKeeper. (It's a JDBC connection pooling library)
>>>> 
>>>> 
>> https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
>>>> 
>>>> 
>>>> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <an...@apache.org> wrote:
>>>> 
>>>>> Hi Enrico!
>>>>> 
>>>>> Looks like owasp is reporting 2 new issues with
>>>> jackson-databind-2.9.9.3:
>>>>> 
>>>>> 
>>>>> 
>>>> 
>> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html
>>>>> 
>>>>> If I’m not mistaken.
>>>>> 
>>>>> Andor
>>>>> 
>>>>> 
>>>>> 
>>>>>> On 2019. Sep 20., at 22:18, Enrico Olivelli <eo...@gmail.com>
>>>> wrote:
>>>>>> 
>>>>>> This is a bugfix release candidate for 3.5.6.
>>>>>> 
>>>>>> It fixes 27 issues, including upgrade of third party libraries,
>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better
>>>>> procedure
>>>>>> for the upgrade of servers from 3.4 to 3.5.
>>>>>> 
>>>>>> The full release notes is available at:
>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
>>>>>> 
>>>>>> *** Please download, test and vote by September 23th 2019, 23:59
>>>> UTC+0.
>>>>> ***
>>>>>> 
>>>>>> Source files:
>>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
>>>>>> 
>>>>>> Maven staging repo:
>>>>>> 
>>>>> 
>>>> 
>> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
>>>>>> 
>>>>>> The release candidate tag in git to be voted upon: release-3.5.6-rc1
>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
>>>>>> 
>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the
>> release:
>>>>>> https://www.apache.org/dist/zookeeper/KEYS
>>>>>> 
>>>>>> Should we release this candidate?
>>>>>> 
>>>>>> Enrico Olivelli
>>>>> 
>>>>> 
>>>> 
>>> 
>> 

Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1

[Patrick Hunt <ph...@apache.org>]

On Thu, Sep 26, 2019 at 3:50 AM Enrico Olivelli <eo...@gmail.com> wrote:

> Hi folks,
> all the community is invited to test this release candidate
>
> and we need at least three binding VOTEs
>
>
After seeing Andor's feedback I was waiting for the new RC to be cut. (also
FYI Strata this week) Given we release relatively infrequently it seemed a
better idea to spend an additional few days knocking this one down so it's
not an open question going forward. If folks disagree please state as such
as I'd rather not spend the time reviewing again just to have to review
another RC.

Patrick



> Best regards
> Enrico
>
> Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli <
> eolivelli@gmail.com> ha scritto:
>
> > Links to the details:
> > https://github.com/FasterXML/jackson-databind/issues/2449
> > https://github.com/FasterXML/jackson-databind/issues/2449
> >
> > @Andor Molnár <an...@apache.org>  is it a -1 from your side ?
> >
> > The rush for 3.5.6 is more about delivering a version of ZK without the
> > security issues reported for Jackson Databind, so it may make sense to
> > cancel this vote (but I am not doing it actually)
> > Btw we can't follow the fast pace of DataBind and CVEs
> >
> > This is interesting
> >
> >
> https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
> >
> >
> > As we are not affected but the issues above I suggest to move forward
> with
> > the current tag
> >
> >
> >
> > Enrico
> >
> > Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar
> > <nk...@cloudera.com.invalid> ha scritto:
> >
> >> These CVE's do no affect ZooKeeper, both is related to Hikari which is
> not
> >> used at all by ZooKeeper. (It's a JDBC connection pooling library)
> >>
> >>
> https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
> >>
> >>
> >> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <an...@apache.org> wrote:
> >>
> >> > Hi Enrico!
> >> >
> >> > Looks like owasp is reporting 2 new issues with
> >> jackson-databind-2.9.9.3:
> >> >
> >> >
> >> >
> >>
> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html
> >> >
> >> > If I’m not mistaken.
> >> >
> >> > Andor
> >> >
> >> >
> >> >
> >> > > On 2019. Sep 20., at 22:18, Enrico Olivelli <eo...@gmail.com>
> >> wrote:
> >> > >
> >> > > This is a bugfix release candidate for 3.5.6.
> >> > >
> >> > > It fixes 27 issues, including upgrade of third party libraries,
> >> > > TTL Node APIs for C API, support for PCKS12 Keystores, and better
> >> > procedure
> >> > > for the upgrade of servers from 3.4 to 3.5.
> >> > >
> >> > > The full release notes is available at:
> >> > >
> >> > >
> >> >
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> >> > >
> >> > > *** Please download, test and vote by September 23th 2019, 23:59
> >> UTC+0.
> >> > ***
> >> > >
> >> > > Source files:
> >> > > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
> >> > >
> >> > > Maven staging repo:
> >> > >
> >> >
> >>
> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
> >> > >
> >> > > The release candidate tag in git to be voted upon: release-3.5.6-rc1
> >> > > https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
> >> > >
> >> > > ZooKeeper's KEYS file containing PGP keys we use to sign the
> release:
> >> > > https://www.apache.org/dist/zookeeper/KEYS
> >> > >
> >> > > Should we release this candidate?
> >> > >
> >> > > Enrico Olivelli
> >> >
> >> >
> >>
> >
>

Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1

[Norbert Kalmar <nk...@cloudera.com.INVALID>]

Sorry, I also forgot to vote and just commented on the jackson CVE.
But +1, I did the usual:

tests pass, after building I started ZK and run a few commands
Checked the bin package, license files looks to be in order, server runs,
commands work
Signature OK.

Regards,
Norbert

On Thu, Sep 26, 2019 at 9:50 AM Enrico Olivelli <eo...@gmail.com> wrote:

> Hi folks,
> all the community is invited to test this release candidate
>
> and we need at least three binding VOTEs
>
> Best regards
> Enrico
>
> Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli <
> eolivelli@gmail.com> ha scritto:
>
> > Links to the details:
> > https://github.com/FasterXML/jackson-databind/issues/2449
> > https://github.com/FasterXML/jackson-databind/issues/2449
> >
> > @Andor Molnár <an...@apache.org>  is it a -1 from your side ?
> >
> > The rush for 3.5.6 is more about delivering a version of ZK without the
> > security issues reported for Jackson Databind, so it may make sense to
> > cancel this vote (but I am not doing it actually)
> > Btw we can't follow the fast pace of DataBind and CVEs
> >
> > This is interesting
> >
> >
> https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
> >
> >
> > As we are not affected but the issues above I suggest to move forward
> with
> > the current tag
> >
> >
> >
> > Enrico
> >
> > Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar
> > <nk...@cloudera.com.invalid> ha scritto:
> >
> >> These CVE's do no affect ZooKeeper, both is related to Hikari which is
> not
> >> used at all by ZooKeeper. (It's a JDBC connection pooling library)
> >>
> >>
> https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
> >>
> >>
> >> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <an...@apache.org> wrote:
> >>
> >> > Hi Enrico!
> >> >
> >> > Looks like owasp is reporting 2 new issues with
> >> jackson-databind-2.9.9.3:
> >> >
> >> >
> >> >
> >>
> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html
> >> >
> >> > If I’m not mistaken.
> >> >
> >> > Andor
> >> >
> >> >
> >> >
> >> > > On 2019. Sep 20., at 22:18, Enrico Olivelli <eo...@gmail.com>
> >> wrote:
> >> > >
> >> > > This is a bugfix release candidate for 3.5.6.
> >> > >
> >> > > It fixes 27 issues, including upgrade of third party libraries,
> >> > > TTL Node APIs for C API, support for PCKS12 Keystores, and better
> >> > procedure
> >> > > for the upgrade of servers from 3.4 to 3.5.
> >> > >
> >> > > The full release notes is available at:
> >> > >
> >> > >
> >> >
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> >> > >
> >> > > *** Please download, test and vote by September 23th 2019, 23:59
> >> UTC+0.
> >> > ***
> >> > >
> >> > > Source files:
> >> > > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
> >> > >
> >> > > Maven staging repo:
> >> > >
> >> >
> >>
> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
> >> > >
> >> > > The release candidate tag in git to be voted upon: release-3.5.6-rc1
> >> > > https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
> >> > >
> >> > > ZooKeeper's KEYS file containing PGP keys we use to sign the
> release:
> >> > > https://www.apache.org/dist/zookeeper/KEYS
> >> > >
> >> > > Should we release this candidate?
> >> > >
> >> > > Enrico Olivelli
> >> >
> >> >
> >>
> >
>

Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1

[Enrico Olivelli <eo...@gmail.com>]

Hi folks,
all the community is invited to test this release candidate

and we need at least three binding VOTEs

Best regards
Enrico

Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli <
eolivelli@gmail.com> ha scritto:

> Links to the details:
> https://github.com/FasterXML/jackson-databind/issues/2449
> https://github.com/FasterXML/jackson-databind/issues/2449
>
> @Andor Molnár <an...@apache.org>  is it a -1 from your side ?
>
> The rush for 3.5.6 is more about delivering a version of ZK without the
> security issues reported for Jackson Databind, so it may make sense to
> cancel this vote (but I am not doing it actually)
> Btw we can't follow the fast pace of DataBind and CVEs
>
> This is interesting
>
> https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
>
>
> As we are not affected but the issues above I suggest to move forward with
> the current tag
>
>
>
> Enrico
>
> Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar
> <nk...@cloudera.com.invalid> ha scritto:
>
>> These CVE's do no affect ZooKeeper, both is related to Hikari which is not
>> used at all by ZooKeeper. (It's a JDBC connection pooling library)
>>
>> https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
>>
>>
>> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <an...@apache.org> wrote:
>>
>> > Hi Enrico!
>> >
>> > Looks like owasp is reporting 2 new issues with
>> jackson-databind-2.9.9.3:
>> >
>> >
>> >
>> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html
>> >
>> > If I’m not mistaken.
>> >
>> > Andor
>> >
>> >
>> >
>> > > On 2019. Sep 20., at 22:18, Enrico Olivelli <eo...@gmail.com>
>> wrote:
>> > >
>> > > This is a bugfix release candidate for 3.5.6.
>> > >
>> > > It fixes 27 issues, including upgrade of third party libraries,
>> > > TTL Node APIs for C API, support for PCKS12 Keystores, and better
>> > procedure
>> > > for the upgrade of servers from 3.4 to 3.5.
>> > >
>> > > The full release notes is available at:
>> > >
>> > >
>> >
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
>> > >
>> > > *** Please download, test and vote by September 23th 2019, 23:59
>> UTC+0.
>> > ***
>> > >
>> > > Source files:
>> > > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
>> > >
>> > > Maven staging repo:
>> > >
>> >
>> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
>> > >
>> > > The release candidate tag in git to be voted upon: release-3.5.6-rc1
>> > > https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
>> > >
>> > > ZooKeeper's KEYS file containing PGP keys we use to sign the release:
>> > > https://www.apache.org/dist/zookeeper/KEYS
>> > >
>> > > Should we release this candidate?
>> > >
>> > > Enrico Olivelli
>> >
>> >
>>
>

Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1

[Enrico Olivelli <eo...@gmail.com>]

Links to the details:
https://github.com/FasterXML/jackson-databind/issues/2449
https://github.com/FasterXML/jackson-databind/issues/2449

@Andor Molnár <an...@apache.org>  is it a -1 from your side ?

The rush for 3.5.6 is more about delivering a version of ZK without the
security issues reported for Jackson Databind, so it may make sense to
cancel this vote (but I am not doing it actually)
Btw we can't follow the fast pace of DataBind and CVEs

This is interesting
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062


As we are not affected but the issues above I suggest to move forward with
the current tag



Enrico

Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar
<nk...@cloudera.com.invalid> ha scritto:

> These CVE's do no affect ZooKeeper, both is related to Hikari which is not
> used at all by ZooKeeper. (It's a JDBC connection pooling library)
>
> https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html
>
>
> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <an...@apache.org> wrote:
>
> > Hi Enrico!
> >
> > Looks like owasp is reporting 2 new issues with jackson-databind-2.9.9.3:
> >
> >
> >
> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html
> >
> > If I’m not mistaken.
> >
> > Andor
> >
> >
> >
> > > On 2019. Sep 20., at 22:18, Enrico Olivelli <eo...@gmail.com>
> wrote:
> > >
> > > This is a bugfix release candidate for 3.5.6.
> > >
> > > It fixes 27 issues, including upgrade of third party libraries,
> > > TTL Node APIs for C API, support for PCKS12 Keystores, and better
> > procedure
> > > for the upgrade of servers from 3.4 to 3.5.
> > >
> > > The full release notes is available at:
> > >
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> > >
> > > *** Please download, test and vote by September 23th 2019, 23:59 UTC+0.
> > ***
> > >
> > > Source files:
> > > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
> > >
> > > Maven staging repo:
> > >
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
> > >
> > > The release candidate tag in git to be voted upon: release-3.5.6-rc1
> > > https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
> > >
> > > ZooKeeper's KEYS file containing PGP keys we use to sign the release:
> > > https://www.apache.org/dist/zookeeper/KEYS
> > >
> > > Should we release this candidate?
> > >
> > > Enrico Olivelli
> >
> >
>

Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1

[Norbert Kalmar <nk...@cloudera.com.INVALID>]

These CVE's do no affect ZooKeeper, both is related to Hikari which is not
used at all by ZooKeeper. (It's a JDBC connection pooling library)
https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html


On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <an...@apache.org> wrote:

> Hi Enrico!
>
> Looks like owasp is reporting 2 new issues with jackson-databind-2.9.9.3:
>
>
> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html
>
> If I’m not mistaken.
>
> Andor
>
>
>
> > On 2019. Sep 20., at 22:18, Enrico Olivelli <eo...@gmail.com> wrote:
> >
> > This is a bugfix release candidate for 3.5.6.
> >
> > It fixes 27 issues, including upgrade of third party libraries,
> > TTL Node APIs for C API, support for PCKS12 Keystores, and better
> procedure
> > for the upgrade of servers from 3.4 to 3.5.
> >
> > The full release notes is available at:
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> >
> > *** Please download, test and vote by September 23th 2019, 23:59 UTC+0.
> ***
> >
> > Source files:
> > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
> >
> > Maven staging repo:
> >
> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
> >
> > The release candidate tag in git to be voted upon: release-3.5.6-rc1
> > https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
> >
> > ZooKeeper's KEYS file containing PGP keys we use to sign the release:
> > https://www.apache.org/dist/zookeeper/KEYS
> >
> > Should we release this candidate?
> >
> > Enrico Olivelli
>
>

Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 1

[Andor Molnar <an...@apache.org>]

Hi Enrico!

Looks like owasp is reporting 2 new issues with jackson-databind-2.9.9.3:

https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html

If I’m not mistaken.

Andor



> On 2019. Sep 20., at 22:18, Enrico Olivelli <eo...@gmail.com> wrote:
> 
> This is a bugfix release candidate for 3.5.6.
> 
> It fixes 27 issues, including upgrade of third party libraries,
> TTL Node APIs for C API, support for PCKS12 Keystores, and better procedure
> for the upgrade of servers from 3.4 to 3.5.
> 
> The full release notes is available at:
> 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
> 
> *** Please download, test and vote by September 23th 2019, 23:59 UTC+0. ***
> 
> Source files:
> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1
> 
> Maven staging repo:
> https://repository.apache.org/content/repositories/orgapachezookeeper-1041/
> 
> The release candidate tag in git to be voted upon: release-3.5.6-rc1
> https://github.com/apache/zookeeper/tree/release-3.5.6-rc1
> 
> ZooKeeper's KEYS file containing PGP keys we use to sign the release:
> https://www.apache.org/dist/zookeeper/KEYS
> 
> Should we release this candidate?
> 
> Enrico Olivelli