You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@bookkeeper.apache.org by GitBox <gi...@apache.org> on 2021/08/18 02:51:37 UTC

[GitHub] [bookkeeper] zymap opened a new pull request #2765: Release note for 4.14.2

zymap opened a new pull request #2765:
URL: https://github.com/apache/bookkeeper/pull/2765


   ---
   
   *Motivation*
   
   Rlease note update for 4.14.2
   
   Descriptions of the changes in this PR:
   
   
   
   ### Motivation
   
   (Explain: why you're making that change, what is the problem you're trying to solve)
   
   ### Changes
   
   (Describe: what changes you have made)
   
   Master Issue: #<master-issue-number>
   
   > ---
   > In order to uphold a high standard for quality for code contributions, Apache BookKeeper runs various precommit
   > checks for pull requests. A pull request can only be merged when it passes precommit checks.
   >
   > ---
   > Be sure to do all of the following to help us incorporate your contribution
   > quickly and easily:
   >
   > If this PR is a BookKeeper Proposal (BP):
   >
   > - [ ] Make sure the PR title is formatted like:
   >     `<BP-#>: Description of bookkeeper proposal`
   >     `e.g. BP-1: 64 bits ledger is support`
   > - [ ] Attach the master issue link in the description of this PR.
   > - [ ] Attach the google doc link if the BP is written in Google Doc.
   >
   > Otherwise:
   > 
   > - [ ] Make sure the PR title is formatted like:
   >     `<Issue #>: Description of pull request`
   >     `e.g. Issue 123: Description ...`
   > - [ ] Make sure tests pass via `mvn clean apache-rat:check install spotbugs:check`.
   > - [ ] Replace `<Issue #>` in the title with the actual Issue number.
   > 
   > ---
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] zymap commented on pull request #2765: Release note for 4.14.2

Posted by GitBox <gi...@apache.org>.

zymap commented on pull request #2765:
URL: https://github.com/apache/bookkeeper/pull/2765#issuecomment-904370104


   @eolivelli Here has an update for the site. PTAL. Thanks.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] zymap commented on pull request #2765: Release note for 4.14.2

Posted by GitBox <gi...@apache.org>.

zymap commented on pull request #2765:
URL: https://github.com/apache/bookkeeper/pull/2765#issuecomment-915736744


   We have added it in the rc0 release note https://github.com/apache/bookkeeper/pull/2763/files#diff-e0a1e7642b2b55b58ef495600503f7c31d4d4e4c4c48d4c176110edb0ead0274R11


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] zymap merged pull request #2765: Release note for 4.14.2

Posted by GitBox <gi...@apache.org>.

zymap merged pull request #2765:
URL: https://github.com/apache/bookkeeper/pull/2765


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] eolivelli commented on pull request #2765: Release note for 4.14.2

Posted by GitBox <gi...@apache.org>.

eolivelli commented on pull request #2765:
URL: https://github.com/apache/bookkeeper/pull/2765#issuecomment-913459889


   @nicoloboschi you are right.
   I apologise.
   
   @zymap can you please address @nicoloboschi 's comments in a new patch?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] zymap commented on pull request #2765: Release note for 4.14.2

Posted by GitBox <gi...@apache.org>.

zymap commented on pull request #2765:
URL: https://github.com/apache/bookkeeper/pull/2765#issuecomment-912226255


   @eolivelli Done. PTAL thanks


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] nicoloboschi commented on a change in pull request #2765: Release note for 4.14.2

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on a change in pull request #2765:
URL: https://github.com/apache/bookkeeper/pull/2765#discussion_r698434977



##########
File path: site/docs/4.14.2/overview/releaseNotes.md
##########
@@ -20,6 +20,22 @@ The technical details of this release are summarized below.
 
   The current libthrift version 0.12.0 has multiple vulnerabilities: CVE-2019-0205 , CVE-2019-0210 , CVE-2020-13949
 
+- [https://github.com/apache/bookkeeper/pull/2735] Exclude grpc-okhttp dependency
+
+  The okhttp dependency version 2.7.4 is old and vulnerable. This dependency isn't needed and it causes Bookkeeper to be flagged for security vulnerabilities.
+
+- [https://github.com/apache/bookkeeper/pull/2734] Upgrade Freebuilder version and fix the dependency
+
+  - Freebuilder 1.14.9 contains an outdate jquery js file which causes the library to be flagged as vulnerable with the highest threat level in Sonatype IQ vulnerability scanner. This also flags Bookkeeper and Pulsar as vulnerable with the highest threat level although it is a false positive and not an actual threat.

Review comment:
       idk if it's good to mention pulsar here, I feel it is not relevant for BK release notes




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] nicoloboschi commented on pull request #2765: Release note for 4.14.2

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on pull request #2765:
URL: https://github.com/apache/bookkeeper/pull/2765#issuecomment-913389347


   > I think we are missing this important commit about bc-fips dependency fix
   > [e54be34](https://github.com/apache/bookkeeper/commit/e54be3451726c6b7e2fe6a9d412f1a2ab78d8203)
   
   @zymap @eolivelli I see the RN merged but my comment isn't resolved yet


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] eolivelli commented on a change in pull request #2765: Release note for 4.14.2

Posted by GitBox <gi...@apache.org>.

eolivelli commented on a change in pull request #2765:
URL: https://github.com/apache/bookkeeper/pull/2765#discussion_r698437464



##########
File path: site/docs/4.14.2/overview/releaseNotes.md
##########
@@ -20,6 +20,22 @@ The technical details of this release are summarized below.
 
   The current libthrift version 0.12.0 has multiple vulnerabilities: CVE-2019-0205 , CVE-2019-0210 , CVE-2020-13949
 
+- [https://github.com/apache/bookkeeper/pull/2735] Exclude grpc-okhttp dependency
+
+  The okhttp dependency version 2.7.4 is old and vulnerable. This dependency isn't needed and it causes Bookkeeper to be flagged for security vulnerabilities.
+
+- [https://github.com/apache/bookkeeper/pull/2734] Upgrade Freebuilder version and fix the dependency
+
+  - Freebuilder 1.14.9 contains an outdate jquery js file which causes the library to be flagged as vulnerable with the highest threat level in Sonatype IQ vulnerability scanner. This also flags Bookkeeper and Pulsar as vulnerable with the highest threat level although it is a false positive and not an actual threat.

Review comment:
       yes, please remove the reference to Pulsar @zymap 




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org