+1 for releasing 2.6.4 with the fix for the CVE, as this is still an active branch that should receive security patches.
I’ll be following up with an email to the ML to discuss creating a process to more formally let our users know which versions will receive security patches. Thanks, Michael > On May 27, 2021, at 12:40 PM, Lari Hotari <lhot...@apache.org> wrote: > > Dear Pulsar community members, > > I'd like to propose cutting a 2.6.4 release so that we can > address CVE-2021-22160 [1] also in 2.6.x. The fix for CVE-2021-22160 is > included in 2.7.1 . > > Here [2] you can find the list of commits cherry-picked to branch-2.6 since > 2.6.3 release. > > I would like to volunteer as a release manager for 2.6.4 unless someone > else is already planning to take care of this release. > > BR, > > Lari > > [1] > https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cdev.pulsar.apache.org%3E > > [2] https://github.com/apache/pulsar/compare/v2.6.3...branch-2.6
