I'd like to suggest extending the upgrade of BookKeeper to RocksDB 9.9.3 in the 4.17.2 release as well, not just the 4.18.0 release. On the Pulsar side, 4.17.x is used for Pulsar 3.3.x (out-of-support) and Pulsar 4.0.x branches.
One of the reasons for doing so is that compiled RocksDB rocksdbjni binaries in Maven Central (https://repo1.maven.org/maven2/org/rocksdb/rocksdbjni/) before 9.0.0 are compiled with zlib 1.3 or earlier, which contains the vulnerability CVE-2023-45853 [1]. The zlib 1.3.1 upgrade in RocksDB was implemented in this commit [2]. Some enterprises use vulnerability scanners that also detect statically linked libraries and have requirements to address high or critical CVEs in those cases as well. CVE-2023-45853 is categorized as both 9.8/10 (critical) and 8.8/10 (high) on the NVD CVE page [1]. -Lari 1 - https://nvd.nist.gov/vuln/detail/CVE-2023-45853 2 - https://github.com/facebook/rocksdb/commit/055b21ab110b4dfafee792ebab725869c38d55ed On 2025/04/17 08:21:49 Lari Hotari wrote: > Hello BookKeeper community, > > I'd like to propose upgrading our RocksDB dependency from the current > 7.10.2 version to 9.9.3. > Among all 9.x versions, I specifically chose 9.9.3 since it's > currently the most recent version with multiple patch releases and > it's readily available in Maven Central [1]. > > Upgrading RocksDB would bring important benefits: > - Bug fixes and improvements made in RocksDB since 7.10.2 > - Multiple bug fixes specifically related to CompactRange [2,3] > > RocksDB 9.x uses format_version=6 by default, which isn't backward > compatible with RocksDB versions before 8.6.0. > We've addressed this in our codebase by: > 1. Explicitly setting format_version=5 in configuration files for all > RocksDB database instances > 2. Fixing several bugs where format_version wasn't set consistently > across all database instances (PRs #4466, #4480, #4559, and #4560) > With these changes, we've verified that upgrade/downgrade > compatibility tests pass successfully. > > The PR to upgrade to 9.9.3 is https://github.com/apache/bookkeeper/pull/4580 > > If there are no significant objections, I suggest that we target this > upgrade for the 4.18.0 release. > > Looking forward to your feedback! > > Best regards, > > -Lari > > 1 - https://search.maven.org/artifact/org.rocksdb/rocksdbjni > 2 - https://github.com/facebook/rocksdb/releases?q=CompactRange&expanded=true > 3 - https://github.com/facebook/rocksdb/blob/main/HISTORY.md >
