Hi Chia-Ping Tsai, Yes, let’s take the jetty CVE fix for 3.9.0.
Best, Colin On Wed, Oct 16, 2024, at 08:51, Chia-Ping Tsai wrote: > hi Colin > > Do you think KAFKA-17810 is a blocker for 3.9.0 since it's related to a > CVE? The PR (https://github.com/apache/kafka/pull/17517) will upgrade > Jetty to 9.4.56.v20240826 to fix one of the CVEs, and we can backport > it to 3.9 if you're okay with rolling RC3 > > Best, > Chia-Ping > > > On 2024/10/10 21:14:55 Colin McCabe wrote: >> This is the second candidate for the release of Apache Kafka 3.9.0. I have >> titled it rc2 since I had an rc1 which got very far, even to the point of >> pushing tags and docker images, before I spotted an issue. So rather than >> mutate the tags, I decided to skip over rc1. >> >> - This is a major release, the final one in the 3.x line. (There may of >> course be other minor releases in this line, such as 3.9.1.) >> - Tiered storage will be considered production-ready in this release. >> - This will be the final major release to feature the deprecated ZooKeeper >> mode. >> >> This release includes the following KIPs: >> - KIP-853: Support dynamically changing KRaft controller membership >> - KIP-1057: Add remote log metadata flag to the dump log tool >> - KIP-1049: Add config log.summary.interval.ms to Kafka Streams >> - KIP-1040: Improve handling of nullable values in InsertField, >> ExtractField, and other transformations >> - KIP-1031: Control offset translation in MirrorSourceConnector >> - KIP-1033: Add Kafka Streams exception handler for exceptions occurring >> during processing >> - KIP-1017: Health check endpoint for Kafka Connect >> - KIP-1025: Optionally URL-encode clientID and clientSecret in authorization >> header >> - KIP-1005: Expose EarliestLocalOffset and TieredOffset >> - KIP-950: Tiered Storage Disablement >> - KIP-956: Tiered Storage Quotas >> >> Release notes for the 3.9.0 release: >> https://dist.apache.org/repos/dist/dev/kafka/3.9.0-rc2/RELEASE_NOTES.html >> >> *** Please download, test and vote by October 16, 2024. >> >> Kafka's KEYS file containing PGP keys we use to sign the release: >> https://kafka.apache.org/KEYS >> >> * Release artifacts to be voted upon (source and binary): >> https://dist.apache.org/repos/dist/dev/kafka/3.9.0-rc2/ >> >> * Docker release artifacts to be voted upon: >> apache/kafka:3.9.0-rc2 >> apache/kafka-native:3.9.0-rc2 >> >> * Maven artifacts to be voted upon: >> https://repository.apache.org/content/groups/staging/org/apache/kafka/ >> >> * Javadoc: >> https://dist.apache.org/repos/dist/dev/kafka/3.9.0-rc2/javadoc/ >> >> * Documentation: >> https://kafka.apache.org/39/documentation.html >> >> * Protocol: >> https://kafka.apache.org/39/protocol.html >> >> * Tag to be voted upon (off 3.9 branch) is the 3.9.0-rc2 tag: >> https://github.com/apache/kafka/releases/tag/3.9.0-rc2 >> >> * Successful Docker Image Github Actions Pipeline for 3.9 branch: >> Docker Build Test Pipeline (JVM): >> https://github.com/apache/kafka/actions/runs/11281563007 >> Docker Build Test Pipeline (Native): >> https://github.com/apache/kafka/actions/runs/11281608809 >> >> Thanks to everyone who helped with this release candidate, either by >> contributing code, testing, or documentation. >> >> Regards, >> Colin >>
