Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Update zookeeper to 3.8.4 #136

Merged
merged 1 commit into from
Mar 26, 2024
Merged

chore: Update zookeeper to 3.8.4 #136

merged 1 commit into from
Mar 26, 2024

Conversation

israel-hdez
Copy link
Collaborator

This is to move away from CVE-2024-23944: information disclosure.

@oss-prow-bot oss-prow-bot bot requested review from ckadner and tjohnson31415 March 20, 2024 19:47
@israel-hdez israel-hdez mentioned this pull request Mar 20, 2024
Open
24 tasks
@rafvasq rafvasq requested review from rafvasq and njhill March 20, 2024 20:55
@rafvasq
Copy link
Member

rafvasq commented Mar 21, 2024

Seems like the tests never finish/fail. At first glance there's a message SLF4J: Class path contains multiple SLF4J bindings. and I haven't been able to connect that to the Zookeeper update yet, but it seems like upgrading <slf4j-version>1.7.36</slf4j-version> to latest (v2.0.12) works. I can continue to look into it, not familiar with these frameworks.

@israel-hdez
Copy link
Collaborator Author

seems like upgrading <slf4j-version>1.7.36</slf4j-version> to latest (v2.0.12) works

I did this and now the tests are finishing, but an error is issued.
I'll also try to look at it closer, but I can't promise progress, given I'm not familiar with the codebase.

@rafvasq
Copy link
Member

rafvasq commented Mar 22, 2024
edited
Loading

seems like upgrading <slf4j-version>1.7.36</slf4j-version> to latest (v2.0.12) works

I did this and now the tests are finishing, but an error is issued. I'll also try to look at it closer, but I can't promise progress, given I'm not familiar with the codebase.

Thanks for trying that. I looked into it more and noticed that Zookeeper migrated to logback in 3.8. For now at least, we can exclude it here (and revert slf4j-version):

<dependency>
  <!-- override litelinks' versions with newer to avoid CVE -->
  <groupId>org.apache.zookeeper</groupId>
  <artifactId>zookeeper</artifactId>
  <version>${zookeeper-version}</version>
  <exclusions>
    <exclusion>
      <groupId>ch.qos.logback</groupId>
      <artifactId>logback-classic</artifactId>
    </exclusion>
  </exclusions>
</dependency>

rafvasq
rafvasq requested changes Mar 25, 2024
View reviewed changes
Copy link
Member

@rafvasq rafvasq left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In case you missed it, please revert slf4j-version too and hopefully the tests pass.

@israel-hdez
chore: Update zookeeper to 3.8.4
23c75e5 
This is to move away from CVE-2024-23944: information disclosure.

Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com>
@israel-hdez
Copy link
Collaborator Author

In case you missed it, please revert slf4j-version too and hopefully the tests pass.

@rafvasq I just updated the PR. Looks like it is working :-)

rafvasq
rafvasq approved these changes Mar 26, 2024
View reviewed changes
Copy link
Member

@rafvasq rafvasq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@oss-prow-bot oss-prow-bot bot added the lgtm label Mar 26, 2024
@oss-prow-bot OSS-prow-bot
Copy link

oss-prow-bot bot commented Mar 26, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: israel-hdez, rafvasq

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rafvasq rafvasq merged commit 4b61e94 into kserve:main Mar 26, 2024
7 checks passed
@israel-hdez israel-hdez deleted the cve-2024-23944-fix branch March 26, 2024 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rafvasq rafvasq rafvasq approved these changes

@ckadner ckadner Awaiting requested review from ckadner

@tjohnson31415 tjohnson31415 Awaiting requested review from tjohnson31415

@njhill njhill Awaiting requested review from njhill

Assignees

@rafvasq rafvasq

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@israel-hdez @rafvasq