avelanarius
commented
2 years ago This PR cleanly applies also to the branch-4.4.
Closed avelanarius closed 2 years ago
avelanarius
commented
2 years ago This PR cleanly applies also to the branch-4.4.
avikivity
commented
2 years ago branch 4.3 is long dead
avikivity
commented
2 years ago Active branches: 4.5, 4.6, 5.0.
denesb
commented
2 years ago @avelanarius why did you target 4.3 and 4.4? Are more recent branches not affected? If they are, we can backport to the active branches as described by @avikivity.
avelanarius
commented
2 years ago @denesb This fix of this PR is already in master. If I understand patch flow maintainer documentation correctly (I misunderstood it before), a maintainer should cherry pick fe351e84910017e0bd1f88c750bcd768081b5723 and 6b677f98c109ee298619a486a9dd374623e3a71a onto older branches.
avikivity
commented
2 years ago @avelanarius sorry to pile on more paperwork, but to backport something, we need an issue. So please create issues in scylla.git and immediately close them referencing the commits that fix the problem.
denesb
commented
2 years ago Also, like I mentioned in https://github.com/scylladb/scylla-enterprise-jmx/issues/10#issuecomment-1149425901 we need to know which releases are vulnerable. Usually, when backporting a fix, we backport to all live releases. The only reason to exclude a release from backport is it not being vulnerable to the fixed bug.
denesb
commented
2 years ago I understand that 2021.1 is the target, but we have both older and newer live releases.
Backport a commit updating snakeyaml dependency.
Update Jackson dependency to a newer version, without any known security vulnerabilities.