Hi Fokko, I know we have some fixes on the fly. So, let me do a new pass on issues and backports and I will send an update on the mailing list (early next week).
Thanks ! Regards JB On Sun, Dec 3, 2023 at 1:40 AM Fokko Driesprong <fo...@apache.org> wrote: > > Hey JB, > > I think there is no harm in doing a patch release. > > There was another request to backport an issue, I've created a PR: > https://github.com/apache/iceberg/pull/8969#issuecomment-1837286383 > > Kind regards, > Fokko > > Op wo 22 nov 2023 om 18:50 schreef Jean-Baptiste Onofré <j...@nanthrax.net>: >> >> Hi guys >> >> Quick update about that: >> 1. I took a deeper look today about the Avro CVE issue. I don't think >> we are impacted on Iceberg (the CVE is about deserialization of >> corrupted data potentially causing out of memory). The fix >> (https://github.com/apache/avro/commit/a12a7e44d) introduces >> SystemLimitException that uses system properties to define boundaries >> and avoid the OOM (even if the deserialization won't still work :)). >> So, nothing really changes from an Iceberg perspective. >> 2. As discussed during the community meeting today, as (1) doesn't >> really have an impact on Iceberg, there's no urgency to release 1.4.3. >> We agreed to wait new fixes for 1.4.3 release. >> >> I'm still volunteering to cut the 1.4.3 patch release when ready (I >> did all the build checks on my machine :)), and I'm doing a pass on GH >> issues. >> >> Thanks ! >> Regards >> JB >> >> On Tue, Nov 21, 2023 at 8:49 PM Jean-Baptiste Onofré <j...@nanthrax.net> >> wrote: >> > >> > Hi >> > >> > We chatted about the 1.4.3 release with Ed. >> > >> > We have few PRs we want to include and as it’s Thanksgiving this week, I >> > will submit the release to vote on Tuesday next week. >> > >> > Regards >> > JB >> > >> > Le lun. 20 nov. 2023 à 17:24, Jean-Baptiste Onofré <j...@nanthrax.net> a >> > écrit : >> >> >> >> Thanks Fokko ! >> >> >> >> I'm on the local build check and issue pass. I plan to start the >> >> release tomorrow. >> >> >> >> Regards >> >> JB >> >> >> >> On Mon, Nov 20, 2023 at 8:56 AM Driesprong, Fokko <fo...@driesprong.frl> >> >> wrote: >> >> > >> >> > I took the liberty and created a 1.4.3 milestone to track any issues >> >> > that we want to backport. >> >> > >> >> > Kind regards, >> >> > Fokko Driesprong >> >> > >> >> > Op ma 20 nov 2023 om 08:50 schreef Driesprong, Fokko >> >> > <fo...@driesprong.frl>: >> >> >> >> >> >> Hey JB, >> >> >> >> >> >> Late to the party here, but 1.4.3 sounds like a great idea. Let me >> >> >> know if you need any help with any release steps. >> >> >> >> >> >> Kind regards, >> >> >> Fokko Driesprong >> >> >> >> >> >> Op ma 20 nov 2023 om 08:16 schreef Jean-Baptiste Onofré >> >> >> <j...@nanthrax.net>: >> >> >>> >> >> >>> Hi >> >> >>> >> >> >>> As there's no objection, I will move forward and prepare the release >> >> >>> to vote. >> >> >>> >> >> >>> I will keep you posted asap. >> >> >>> >> >> >>> Thanks, >> >> >>> Regards >> >> >>> JB >> >> >>> >> >> >>> On Wed, Nov 15, 2023 at 6:11 AM Jean-Baptiste Onofré >> >> >>> <j...@nanthrax.net> wrote: >> >> >>> > >> >> >>> > Hi guys, >> >> >>> > >> >> >>> > Avro 1.11.3 has been released, fixing CVE-2023-39410. >> >> >>> > We already updated to Avro 1.11.3 on main. >> >> >>> > >> >> >>> > About CVE, we also already use guava 32.1.3, fixing CVE-2023-2976. >> >> >>> > >> >> >>> > As the Avro CVE is classified high (see >> >> >>> > https://nvd.nist.gov/vuln/detail/CVE-2023-39410), I propose to bump >> >> >>> > to >> >> >>> > Avro 1.11.3 on our 1.4.x branch and release Iceberg 1.4.3 including >> >> >>> > this. >> >> >>> > >> >> >>> > Thoughts ? >> >> >>> > >> >> >>> > If there are no objections, I'm volunteer to drive this release. >> >> >>> > >> >> >>> > Thanks, >> >> >>> > Regards >> >> >>> > JB
