For the upgrade of RocksDB 9.9.3, I wonder if two emails can be sent to follow up 4.18.0 and 4.17.2. I feel that this is a bit confusing. It may be clearer to send two emails to follow up separately. Or other versions may also need this and follow up with the same email.
On Tue, Apr 22, 2025 at 6:39 PM Lari Hotari <lhot...@apache.org> wrote: > I'd like to suggest extending the upgrade of BookKeeper to RocksDB 9.9.3 > in the 4.17.2 release as well, not just the 4.18.0 release. On the Pulsar > side, 4.17.x is used for Pulsar 3.3.x (out-of-support) and Pulsar 4.0.x > branches. > > One of the reasons for doing so is that compiled RocksDB rocksdbjni > binaries in Maven Central ( > https://repo1.maven.org/maven2/org/rocksdb/rocksdbjni/) before 9.0.0 are > compiled with zlib 1.3 or earlier, which contains the vulnerability > CVE-2023-45853 [1]. The zlib 1.3.1 upgrade in RocksDB was implemented in > this commit [2]. > > Some enterprises use vulnerability scanners that also detect statically > linked libraries and have requirements to address high or critical CVEs in > those cases as well. CVE-2023-45853 is categorized as both 9.8/10 > (critical) and 8.8/10 (high) on the NVD CVE page [1]. > > -Lari > > 1 - https://nvd.nist.gov/vuln/detail/CVE-2023-45853 > 2 - > https://github.com/facebook/rocksdb/commit/055b21ab110b4dfafee792ebab725869c38d55ed > > On 2025/04/17 08:21:49 Lari Hotari wrote: > > Hello BookKeeper community, > > > > I'd like to propose upgrading our RocksDB dependency from the current > > 7.10.2 version to 9.9.3. > > Among all 9.x versions, I specifically chose 9.9.3 since it's > > currently the most recent version with multiple patch releases and > > it's readily available in Maven Central [1]. > > > > Upgrading RocksDB would bring important benefits: > > - Bug fixes and improvements made in RocksDB since 7.10.2 > > - Multiple bug fixes specifically related to CompactRange [2,3] > > > > RocksDB 9.x uses format_version=6 by default, which isn't backward > > compatible with RocksDB versions before 8.6.0. > > We've addressed this in our codebase by: > > 1. Explicitly setting format_version=5 in configuration files for all > > RocksDB database instances > > 2. Fixing several bugs where format_version wasn't set consistently > > across all database instances (PRs #4466, #4480, #4559, and #4560) > > With these changes, we've verified that upgrade/downgrade > > compatibility tests pass successfully. > > > > The PR to upgrade to 9.9.3 is > https://github.com/apache/bookkeeper/pull/4580 > > > > If there are no significant objections, I suggest that we target this > > upgrade for the 4.18.0 release. > > > > Looking forward to your feedback! > > > > Best regards, > > > > -Lari > > > > 1 - https://search.maven.org/artifact/org.rocksdb/rocksdbjni > > 2 - > https://github.com/facebook/rocksdb/releases?q=CompactRange&expanded=true > > 3 - https://github.com/facebook/rocksdb/blob/main/HISTORY.md > > >
