You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by Enrico Olivelli <eo...@gmail.com> on 2023/01/17 17:22:38 UTC
Cutting Apache ZooKeeper 3.8.1 release
Hello ZooKeepers,
We have received a few requests to cut a 3.8.1 release.
I will start the release procedure by the end of this week,
if there anything that blocks the release or that you would like to
cherry-pick please let me know
Best regards
Enrico
Re: Cutting Apache ZooKeeper 3.8.1 release
Posted by Enrico Olivelli <eo...@gmail.com>.
Il giorno lun 23 gen 2023 alle ore 13:54 Enrico Olivelli
<eo...@gmail.com> ha scritto:
>
> Actually I think that I am falling into a rabbit hole.
>
> The Contrib packages have many CVEs against third party libraries
>
> https://issues.apache.org/jira/browse/ZOOKEEPER-4663 - OWASP is
> failing on loggraph due to yui-min.js: CVE-2013-4940, CVE-2013-4939
> https://issues.apache.org/jira/browse/ZOOKEEPER-4664 - OWASP is
> failing on zookeeper zookeeper-contrib-rest due to some third party
> dependencies
> https://issues.apache.org/jira/browse/ZOOKEEPER-4665 - OWASP is
> failing on zooinspector due to some third party dependencies
>
> There is too much work to do at the moment, and we can't blindly
> upgrade dependencies without proper testing.
>
> I am leaning towards creating the RC and ignoring all these problems.
> They don't affect the core code package, and they are optional
> modules, not deployed to Maven central or releases as binaries
During the release I have found that we actually stage the artifacts
in Maven central
but they are not supposed to be consumed from there.
This is a minor release, I think it is better to not change the layout.
We could improve the list of stuff that we send to Maven central in a
next major release
Enrico
>
> Enrico
>
> Il giorno lun 23 gen 2023 alle ore 13:30 Enrico Olivelli
> <eo...@gmail.com> ha scritto:
> >
> > Unfortunately I missed these OWASP failures on the contrib packages
> >
> > [ERROR] Failed to execute goal
> > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project
> > zookeeper-it:
> > [ERROR]
> > [ERROR] One or more dependencies were identified with vulnerabilities
> > that have a CVSS score greater than or equal to '0.0':
> > [ERROR]
> > [ERROR] junit-4.13.jar: CVE-2020-15250(5.5)
> > [ERROR] junit-platform-engine-1.6.2.jar: CVE-2022-31514(9.3)
> > [ERROR]
> > [ERROR] See the dependency-check report for more details.
> >
> > I will send other PRs
> >
> > Enrico
> >
> > Il giorno gio 19 gen 2023 alle ore 12:07 Enrico Olivelli
> > <eo...@gmail.com> ha scritto:
> > >
> > > I have opened a few PRs,
> > > please help me review
> > >
> > > https://github.com/apache/zookeeper/pull/1972
> > > https://github.com/apache/zookeeper/pull/1971
> > > https://github.com/apache/zookeeper/pull/1970
> > >
> > > Enrico
> > >
> > > Il giorno gio 19 gen 2023 alle ore 11:43 Enrico Olivelli
> > > <eo...@gmail.com> ha scritto:
> > > >
> > > > Unfortunately OWASP check is failing on branch-3.8
> > > >
> > > > [ERROR] Failed to execute goal
> > > > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project
> > > > zookeeper:
> > > > [ERROR]
> > > > [ERROR] One or more dependencies were identified with vulnerabilities
> > > > that have a CVSS score greater than or equal to '0.0':
> > > > [ERROR]
> > > > [ERROR] commons-cli-1.4.jar: CVE-2021-37533(6.5)
> > > > [ERROR] commons-io-2.11.0.jar: CVE-2021-37533(6.5)
> > > > [ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), CVE-2022-42004(7.5)
> > > > [ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-41915(6.5),
> > > > CVE-2022-24823(5.5), CVE-2022-41881(7.5)
> > > > [ERROR]
> > > > [ERROR] See the dependency-check report for more details.
> > > > [ERROR]
> > > >
> > > > I will take a look if there are already patches to be cherry-picked.
> > > >
> > > > I guess it will take some time, I hoped to cut the release candidate today :-(
> > > >
> > > > Enrico
> > > >
> > > > Il giorno mar 17 gen 2023 alle ore 23:06 Chris Nauroth
> > > > <cn...@apache.org> ha scritto:
> > > > >
> > > > > +1
> > > > >
> > > > > Thank you for taking this up, Enrico!
> > > > >
> > > > > Chris Nauroth
> > > > >
> > > > >
> > > > > On Tue, Jan 17, 2023 at 9:24 AM Enrico Olivelli <eo...@gmail.com> wrote:
> > > > >
> > > > > > Hello ZooKeepers,
> > > > > > We have received a few requests to cut a 3.8.1 release.
> > > > > >
> > > > > > I will start the release procedure by the end of this week,
> > > > > > if there anything that blocks the release or that you would like to
> > > > > > cherry-pick please let me know
> > > > > >
> > > > > > Best regards
> > > > > > Enrico
> > > > > >
Re: Cutting Apache ZooKeeper 3.8.1 release
Posted by Enrico Olivelli <eo...@gmail.com>.
Actually I think that I am falling into a rabbit hole.
The Contrib packages have many CVEs against third party libraries
https://issues.apache.org/jira/browse/ZOOKEEPER-4663 - OWASP is
failing on loggraph due to yui-min.js: CVE-2013-4940, CVE-2013-4939
https://issues.apache.org/jira/browse/ZOOKEEPER-4664 - OWASP is
failing on zookeeper zookeeper-contrib-rest due to some third party
dependencies
https://issues.apache.org/jira/browse/ZOOKEEPER-4665 - OWASP is
failing on zooinspector due to some third party dependencies
There is too much work to do at the moment, and we can't blindly
upgrade dependencies without proper testing.
I am leaning towards creating the RC and ignoring all these problems.
They don't affect the core code package, and they are optional
modules, not deployed to Maven central or releases as binaries
Enrico
Il giorno lun 23 gen 2023 alle ore 13:30 Enrico Olivelli
<eo...@gmail.com> ha scritto:
>
> Unfortunately I missed these OWASP failures on the contrib packages
>
> [ERROR] Failed to execute goal
> org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project
> zookeeper-it:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities
> that have a CVSS score greater than or equal to '0.0':
> [ERROR]
> [ERROR] junit-4.13.jar: CVE-2020-15250(5.5)
> [ERROR] junit-platform-engine-1.6.2.jar: CVE-2022-31514(9.3)
> [ERROR]
> [ERROR] See the dependency-check report for more details.
>
> I will send other PRs
>
> Enrico
>
> Il giorno gio 19 gen 2023 alle ore 12:07 Enrico Olivelli
> <eo...@gmail.com> ha scritto:
> >
> > I have opened a few PRs,
> > please help me review
> >
> > https://github.com/apache/zookeeper/pull/1972
> > https://github.com/apache/zookeeper/pull/1971
> > https://github.com/apache/zookeeper/pull/1970
> >
> > Enrico
> >
> > Il giorno gio 19 gen 2023 alle ore 11:43 Enrico Olivelli
> > <eo...@gmail.com> ha scritto:
> > >
> > > Unfortunately OWASP check is failing on branch-3.8
> > >
> > > [ERROR] Failed to execute goal
> > > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project
> > > zookeeper:
> > > [ERROR]
> > > [ERROR] One or more dependencies were identified with vulnerabilities
> > > that have a CVSS score greater than or equal to '0.0':
> > > [ERROR]
> > > [ERROR] commons-cli-1.4.jar: CVE-2021-37533(6.5)
> > > [ERROR] commons-io-2.11.0.jar: CVE-2021-37533(6.5)
> > > [ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), CVE-2022-42004(7.5)
> > > [ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-41915(6.5),
> > > CVE-2022-24823(5.5), CVE-2022-41881(7.5)
> > > [ERROR]
> > > [ERROR] See the dependency-check report for more details.
> > > [ERROR]
> > >
> > > I will take a look if there are already patches to be cherry-picked.
> > >
> > > I guess it will take some time, I hoped to cut the release candidate today :-(
> > >
> > > Enrico
> > >
> > > Il giorno mar 17 gen 2023 alle ore 23:06 Chris Nauroth
> > > <cn...@apache.org> ha scritto:
> > > >
> > > > +1
> > > >
> > > > Thank you for taking this up, Enrico!
> > > >
> > > > Chris Nauroth
> > > >
> > > >
> > > > On Tue, Jan 17, 2023 at 9:24 AM Enrico Olivelli <eo...@gmail.com> wrote:
> > > >
> > > > > Hello ZooKeepers,
> > > > > We have received a few requests to cut a 3.8.1 release.
> > > > >
> > > > > I will start the release procedure by the end of this week,
> > > > > if there anything that blocks the release or that you would like to
> > > > > cherry-pick please let me know
> > > > >
> > > > > Best regards
> > > > > Enrico
> > > > >
Re: Cutting Apache ZooKeeper 3.8.1 release
Posted by Enrico Olivelli <eo...@gmail.com>.
Unfortunately I missed these OWASP failures on the contrib packages
[ERROR] Failed to execute goal
org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project
zookeeper-it:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities
that have a CVSS score greater than or equal to '0.0':
[ERROR]
[ERROR] junit-4.13.jar: CVE-2020-15250(5.5)
[ERROR] junit-platform-engine-1.6.2.jar: CVE-2022-31514(9.3)
[ERROR]
[ERROR] See the dependency-check report for more details.
I will send other PRs
Enrico
Il giorno gio 19 gen 2023 alle ore 12:07 Enrico Olivelli
<eo...@gmail.com> ha scritto:
>
> I have opened a few PRs,
> please help me review
>
> https://github.com/apache/zookeeper/pull/1972
> https://github.com/apache/zookeeper/pull/1971
> https://github.com/apache/zookeeper/pull/1970
>
> Enrico
>
> Il giorno gio 19 gen 2023 alle ore 11:43 Enrico Olivelli
> <eo...@gmail.com> ha scritto:
> >
> > Unfortunately OWASP check is failing on branch-3.8
> >
> > [ERROR] Failed to execute goal
> > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project
> > zookeeper:
> > [ERROR]
> > [ERROR] One or more dependencies were identified with vulnerabilities
> > that have a CVSS score greater than or equal to '0.0':
> > [ERROR]
> > [ERROR] commons-cli-1.4.jar: CVE-2021-37533(6.5)
> > [ERROR] commons-io-2.11.0.jar: CVE-2021-37533(6.5)
> > [ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), CVE-2022-42004(7.5)
> > [ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-41915(6.5),
> > CVE-2022-24823(5.5), CVE-2022-41881(7.5)
> > [ERROR]
> > [ERROR] See the dependency-check report for more details.
> > [ERROR]
> >
> > I will take a look if there are already patches to be cherry-picked.
> >
> > I guess it will take some time, I hoped to cut the release candidate today :-(
> >
> > Enrico
> >
> > Il giorno mar 17 gen 2023 alle ore 23:06 Chris Nauroth
> > <cn...@apache.org> ha scritto:
> > >
> > > +1
> > >
> > > Thank you for taking this up, Enrico!
> > >
> > > Chris Nauroth
> > >
> > >
> > > On Tue, Jan 17, 2023 at 9:24 AM Enrico Olivelli <eo...@gmail.com> wrote:
> > >
> > > > Hello ZooKeepers,
> > > > We have received a few requests to cut a 3.8.1 release.
> > > >
> > > > I will start the release procedure by the end of this week,
> > > > if there anything that blocks the release or that you would like to
> > > > cherry-pick please let me know
> > > >
> > > > Best regards
> > > > Enrico
> > > >
Re: Cutting Apache ZooKeeper 3.8.1 release
Posted by Enrico Olivelli <eo...@gmail.com>.
I have opened a few PRs,
please help me review
https://github.com/apache/zookeeper/pull/1972
https://github.com/apache/zookeeper/pull/1971
https://github.com/apache/zookeeper/pull/1970
Enrico
Il giorno gio 19 gen 2023 alle ore 11:43 Enrico Olivelli
<eo...@gmail.com> ha scritto:
>
> Unfortunately OWASP check is failing on branch-3.8
>
> [ERROR] Failed to execute goal
> org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project
> zookeeper:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities
> that have a CVSS score greater than or equal to '0.0':
> [ERROR]
> [ERROR] commons-cli-1.4.jar: CVE-2021-37533(6.5)
> [ERROR] commons-io-2.11.0.jar: CVE-2021-37533(6.5)
> [ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), CVE-2022-42004(7.5)
> [ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-41915(6.5),
> CVE-2022-24823(5.5), CVE-2022-41881(7.5)
> [ERROR]
> [ERROR] See the dependency-check report for more details.
> [ERROR]
>
> I will take a look if there are already patches to be cherry-picked.
>
> I guess it will take some time, I hoped to cut the release candidate today :-(
>
> Enrico
>
> Il giorno mar 17 gen 2023 alle ore 23:06 Chris Nauroth
> <cn...@apache.org> ha scritto:
> >
> > +1
> >
> > Thank you for taking this up, Enrico!
> >
> > Chris Nauroth
> >
> >
> > On Tue, Jan 17, 2023 at 9:24 AM Enrico Olivelli <eo...@gmail.com> wrote:
> >
> > > Hello ZooKeepers,
> > > We have received a few requests to cut a 3.8.1 release.
> > >
> > > I will start the release procedure by the end of this week,
> > > if there anything that blocks the release or that you would like to
> > > cherry-pick please let me know
> > >
> > > Best regards
> > > Enrico
> > >
Re: Cutting Apache ZooKeeper 3.8.1 release
Posted by Enrico Olivelli <eo...@gmail.com>.
Unfortunately OWASP check is failing on branch-3.8
[ERROR] Failed to execute goal
org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project
zookeeper:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities
that have a CVSS score greater than or equal to '0.0':
[ERROR]
[ERROR] commons-cli-1.4.jar: CVE-2021-37533(6.5)
[ERROR] commons-io-2.11.0.jar: CVE-2021-37533(6.5)
[ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), CVE-2022-42004(7.5)
[ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-41915(6.5),
CVE-2022-24823(5.5), CVE-2022-41881(7.5)
[ERROR]
[ERROR] See the dependency-check report for more details.
[ERROR]
I will take a look if there are already patches to be cherry-picked.
I guess it will take some time, I hoped to cut the release candidate today :-(
Enrico
Il giorno mar 17 gen 2023 alle ore 23:06 Chris Nauroth
<cn...@apache.org> ha scritto:
>
> +1
>
> Thank you for taking this up, Enrico!
>
> Chris Nauroth
>
>
> On Tue, Jan 17, 2023 at 9:24 AM Enrico Olivelli <eo...@gmail.com> wrote:
>
> > Hello ZooKeepers,
> > We have received a few requests to cut a 3.8.1 release.
> >
> > I will start the release procedure by the end of this week,
> > if there anything that blocks the release or that you would like to
> > cherry-pick please let me know
> >
> > Best regards
> > Enrico
> >
Re: Cutting Apache ZooKeeper 3.8.1 release
Posted by Chris Nauroth <cn...@apache.org>.
+1
Thank you for taking this up, Enrico!
Chris Nauroth
On Tue, Jan 17, 2023 at 9:24 AM Enrico Olivelli <eo...@gmail.com> wrote:
> Hello ZooKeepers,
> We have received a few requests to cut a 3.8.1 release.
>
> I will start the release procedure by the end of this week,
> if there anything that blocks the release or that you would like to
> cherry-pick please let me know
>
> Best regards
> Enrico
>