You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@pulsar.apache.org by Lari Hotari <lh...@apache.org> on 2021/05/27 18:40:06 UTC

Cutting 2.6.4 release to address CVE-2021-22160

Dear Pulsar community members,

I'd like to propose cutting a 2.6.4 release so that we can
address CVE-2021-22160 [1] also in 2.6.x. The fix for CVE-2021-22160 is
included in 2.7.1 .

Here [2] you can find the list of commits cherry-picked to branch-2.6 since
2.6.3 release.

I would like to volunteer as a release manager for 2.6.4 unless someone
else is already planning to take care of this release.

BR,

Lari

[1]
https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cdev.pulsar.apache.org%3E

[2] https://github.com/apache/pulsar/compare/v2.6.3...branch-2.6

Re: Cutting 2.6.4 release to address CVE-2021-22160

Posted by Sijie Guo <gu...@gmail.com>.

+1

On Thu, May 27, 2021 at 11:40 AM Lari Hotari <lh...@apache.org> wrote:

> Dear Pulsar community members,
>
> I'd like to propose cutting a 2.6.4 release so that we can
> address CVE-2021-22160 [1] also in 2.6.x. The fix for CVE-2021-22160 is
> included in 2.7.1 .
>
> Here [2] you can find the list of commits cherry-picked to branch-2.6 since
> 2.6.3 release.
>
> I would like to volunteer as a release manager for 2.6.4 unless someone
> else is already planning to take care of this release.
>
> BR,
>
> Lari
>
> [1]
>
> https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cdev.pulsar.apache.org%3E
>
> [2] https://github.com/apache/pulsar/compare/v2.6.3...branch-2.6
>

Re: Cutting 2.6.4 release to address CVE-2021-22160

Posted by Michael Marshall <mi...@gmail.com>.

+1 for releasing 2.6.4 with the fix for the CVE, as this is still an active branch that should receive security patches.

I’ll be following up with an email to the ML to discuss creating a process to more formally let our users know which versions will receive security patches.

Thanks,
Michael

> On May 27, 2021, at 12:40 PM, Lari Hotari <lh...@apache.org> wrote:
> 
> Dear Pulsar community members,
> 
> I'd like to propose cutting a 2.6.4 release so that we can
> address CVE-2021-22160 [1] also in 2.6.x. The fix for CVE-2021-22160 is
> included in 2.7.1 .
> 
> Here [2] you can find the list of commits cherry-picked to branch-2.6 since
> 2.6.3 release.
> 
> I would like to volunteer as a release manager for 2.6.4 unless someone
> else is already planning to take care of this release.
> 
> BR,
> 
> Lari
> 
> [1]
> https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cdev.pulsar.apache.org%3E
> 
> [2] https://github.com/apache/pulsar/compare/v2.6.3...branch-2.6

Re: Cutting 2.6.4 release to address CVE-2021-22160

Posted by Shivji Kumar Jha <sh...@gmail.com>.

+1

Regards,
Shivji Kumar Jha
http://www.shivjijha.com/
+91 8884075512


On Fri, 28 May 2021 at 10:45, Enrico Olivelli <eo...@gmail.com> wrote:

> +1
>
> Thanks
>
> Enrico
>
> Il Ven 28 Mag 2021, 05:37 rxl@apache.org <ra...@gmail.com> ha
> scritto:
>
> > LGTM +1
> > --
> > Thanks
> > Xiaolong Ran
> >
> > Lari Hotari <lh...@apache.org> 于2021年5月28日周五 上午2:40写道：
> >
> > > Dear Pulsar community members,
> > >
> > > I'd like to propose cutting a 2.6.4 release so that we can
> > > address CVE-2021-22160 [1] also in 2.6.x. The fix for CVE-2021-22160 is
> > > included in 2.7.1 .
> > >
> > > Here [2] you can find the list of commits cherry-picked to branch-2.6
> > since
> > > 2.6.3 release.
> > >
> > > I would like to volunteer as a release manager for 2.6.4 unless someone
> > > else is already planning to take care of this release.
> > >
> > > BR,
> > >
> > > Lari
> > >
> > > [1]
> > >
> > >
> >
> https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cdev.pulsar.apache.org%3E
> > >
> > > [2] https://github.com/apache/pulsar/compare/v2.6.3...branch-2.6
> > >
> >
>

Re: Cutting 2.6.4 release to address CVE-2021-22160

Posted by Enrico Olivelli <eo...@gmail.com>.

+1

Thanks

Enrico

Il Ven 28 Mag 2021, 05:37 rxl@apache.org <ra...@gmail.com> ha
scritto:

> LGTM +1
> --
> Thanks
> Xiaolong Ran
>
> Lari Hotari <lh...@apache.org> 于2021年5月28日周五 上午2:40写道：
>
> > Dear Pulsar community members,
> >
> > I'd like to propose cutting a 2.6.4 release so that we can
> > address CVE-2021-22160 [1] also in 2.6.x. The fix for CVE-2021-22160 is
> > included in 2.7.1 .
> >
> > Here [2] you can find the list of commits cherry-picked to branch-2.6
> since
> > 2.6.3 release.
> >
> > I would like to volunteer as a release manager for 2.6.4 unless someone
> > else is already planning to take care of this release.
> >
> > BR,
> >
> > Lari
> >
> > [1]
> >
> >
> https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cdev.pulsar.apache.org%3E
> >
> > [2] https://github.com/apache/pulsar/compare/v2.6.3...branch-2.6
> >
>

Re: Cutting 2.6.4 release to address CVE-2021-22160

Posted by "rxl@apache.org" <ra...@gmail.com>.

LGTM +1
--
Thanks
Xiaolong Ran

Lari Hotari <lh...@apache.org> 于2021年5月28日周五 上午2:40写道：

> Dear Pulsar community members,
>
> I'd like to propose cutting a 2.6.4 release so that we can
> address CVE-2021-22160 [1] also in 2.6.x. The fix for CVE-2021-22160 is
> included in 2.7.1 .
>
> Here [2] you can find the list of commits cherry-picked to branch-2.6 since
> 2.6.3 release.
>
> I would like to volunteer as a release manager for 2.6.4 unless someone
> else is already planning to take care of this release.
>
> BR,
>
> Lari
>
> [1]
>
> https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cdev.pulsar.apache.org%3E
>
> [2] https://github.com/apache/pulsar/compare/v2.6.3...branch-2.6
>