Pulsar Version addressing CVE-2024-53990

[sbandaru]

It's noted here that a fixed version addressing CVE-2024-53990 will be available in 4.0.2 , when is this expected to be released?
@lhotari

[lhotari]

It's noted here that a fixed version addressing CVE-2024-53990 will be available in 4.0.2 , when is this expected to be released? @lhotari

The next set of Apache Pulsar releases are currently in release validation and voting phase:
Release Apache Pulsar 3.0.9 based on 3.0.9-candidate-2
Release Apache Pulsar 3.3.4 based on 3.3.4-candidate-2
Release Apache Pulsar 4.0.2 based on 4.0.2-candidate-3 (updated)

According to the Apache release policy, votes are needed from 3 PMC members so that we get these released. There's currently 1 binding vote and I can do one binding vote. There's one remaining that we need from one of the 43 Apache Pulsar PMC members (/cc @nicoloboschi @eolivelli).

Usually we get through this in a couple of days, so I'd say that the ETA is January 17th.

[lhotari]

3.0.9, 3.3.4 and 4.0.2 releases have been completed. release notes are available at https://pulsar.apache.org/release-notes/ .

[sbandaru]

Thanks for the response, we are looking for this update to address the vulnerabilities asap. @lhotari

[lhotari]

@sbandaru You can follow the release progress in the mailing list threads shared in the previous reply. Unfortunately there are some delays due to delays in the voting. For 4.0.2, there will be an additional detail since there's a need to do 4.0.2 release candidate 3 with an important fix included for Pulsar 4.0 implementation of Key_Shared.

[lhotari]

4.0.2-candidate-3 replaced 4.0.2-candidate-2.
Ongoing vote threads:
Release Apache Pulsar 3.0.9 based on 3.0.9-candidate-2
Release Apache Pulsar 3.3.4 based on 3.3.4-candidate-2
Release Apache Pulsar 4.0.2 based on 4.0.2-candidate-3

[lhotari]

3.0.9, 3.3.4 and 4.0.2 releases have been completed. release notes are available at https://pulsar.apache.org/release-notes/ .

[sbandaru]

Thank You !