Bumping this thread again to remind Pulsar PMC members that we urgently need binding votes to publish releases containing a critical severity CVE-2025-24970 fix (details in the thread).
These are the active release voting threads: * [VOTE] Release Apache Pulsar 3.0.10 based on 3.0.10-candidate-1 - https://lists.apache.org/thread/62jh7sj666mq2plr1rmlj7qrfx4zdj4x * [VOTE] Release Apache Pulsar 3.3.5 based on 3.3.5-candidate-2 - https://lists.apache.org/thread/vwgzdqybtrd4vny87c9qz1t6yqo4v6kz * [VOTE] Release Apache Pulsar 4.0.3 based on 4.0.3-candidate-2 - https://lists.apache.org/thread/81ownrk38w692wfvhpp5f689dvo8vs5n Understanding that the effort required for Pulsar release validation may be causing the lack of binding votes, I have enhanced the semi-automated Pulsar Release candidate validation script. It can now run in a docker container on Linux, MacOS, or Windows without requiring JVM or tooling installation on the host environment. Everything is included in the docker container. This script assists with Pulsar release candidate validation by automating the steps described in "Validating release candidates." [1] Please visit https://github.com/lhotari/pulsar-release-validation to check how to run validation steps with this solution, unless you already have a preferred method for handling Pulsar release candidate validation. The primary goal is to lower the barrier to participation in the voting process. This tool doesn't replace the need to review results, but it should simplify the process. Currently, releases are delayed due to insufficient binding votes. The 3.0.10-candidate-1 vote has been open since February 19th—almost a week—and has received only one vote from Yike with no binding votes from PMC members. -Lari 1 - https://pulsar.apache.org/contribute/validate-release-candidate/ On 2025/02/25 15:11:43 Lari Hotari wrote: > 3.3.5-candidate-2 and 4.0.3-candidate-2 have now been made ready for voting. > 3.0.10-candidate-1 voting continues. > > Please vote on the 3.0.10, 3.3.5 and 4.0.3 releases so that we get the CVE > fix published: > * [VOTE] Release Apache Pulsar 3.0.10 based on 3.0.10-candidate-1 > - https://lists.apache.org/thread/62jh7sj666mq2plr1rmlj7qrfx4zdj4x > * [VOTE] Release Apache Pulsar 3.3.5 based on 3.3.5-candidate-2 > - https://lists.apache.org/thread/vwgzdqybtrd4vny87c9qz1t6yqo4v6kz > * [VOTE] Release Apache Pulsar 4.0.3 based on 4.0.3-candidate-2 > - https://lists.apache.org/thread/81ownrk38w692wfvhpp5f689dvo8vs5n > > -Lari > > On 2025/02/12 08:52:50 Lari Hotari wrote: > > Hi all, > > > > I'd like to discuss initiating the next set of Pulsar releases > > (3.0.10, 3.3.5, and 4.0.3) due to a recently disclosed high-severity > > security vulnerability in Netty (CVE-2025-24970). Netty has released > > version 4.1.118.Final which contains the fix. > > > > The CVE-2025-24970 vulnerability details [1] summarized: > > - A specially crafted packet received via SslHandler can lead to a > > native crash when using native SSLEngine > > - Due to the crash behavior, this is categorized as a > > denial-of-service vulnerability > > - This impacts Pulsar brokers and proxies that use native SSL > > implementation (default setting) > > - CVSS Score: 7.5 (High) > > - Fixed in Netty 4.1.118.Final > > > > While this primarily affects broker and proxy components, many > > enterprise users will need an updated client due to vulnerability > > scanning and security policies that flag the vulnerable Netty > > dependency. > > > > Important reminder: As documented in the Apache Pulsar Helm chart > > (https://github.com/apache/pulsar-helm-chart?tab=readme-ov-file#pulsar-proxy-security-considerations), > > Pulsar components including the Pulsar Proxy are not designed for > > direct exposure to the public internet. Deployments should be > > protected by appropriate network perimeter security measures. This > > architectural assumption is particularly relevant given the nature of > > this vulnerability. > > > > I propose the following timeline: > > - Release candidates by February 14th, 2025 > > - Releases by February 21th, 2025 > > > > I'm volunteering to be the release manager for these releases. > > Please let me know if you have any concerns or feedback on this plan. > > > > Best regards, > > > > Lari Hotari > > > > 1 - For technical details on CVE-2025-24970, see: > > https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw > > >
