Release 4.16.2

Release 4.16.2 includes multiple bug fixes and some dependencies CVE fixes.

Apache BookKeeper users are encouraged to upgrade to 4.16.2.
The technical details of this release are summarized below.

Highlights

Bugs

• Fix trigger GC not work PR #3998
• Make slogger use current class PR #3994
• Fix Journal without flush PR #3979
• Fix npe when iterate pendingLedgersUpdates and pendingDeletedLedgers. PR #3955
• Fix ledger replicated failed blocks bookie decommission process PR #3917
• SingleDirectoryDbLedgerStorage#flushMutex does not release lock on all exception paths PR #3909
• Fix ReclaimedSpaceViaDeletes stats incorrect problem. PR #3906
• Fix keys leak in EntryLocationIndex when ledgersToDelete is empty PR #3903
• Fix garbage collection blocked by runtime exception PR #3901
• Always one orphan ledger is created PR #3813
• Fix data lost when configured multiple ledger directories PR #3329
• Fix memory leak of direct memory in direct memory entry logger. PR #3983
• Fix wrong update checkAllLedgersTime when ledgerReplication disabled PR #3939
• Fix some metrics generated by prometheus client without type info PR #3927

Improvements

• Unify ByteBufAllocator for the DirectIO component PR #3985
• Fix arbitrary file upload vulnerability with httpServerEnabled PR #3982
• Check indexBaseDir specified with ledgerBaseDir PR #3967
• Clear channel when channelInactive PR #3966
• Reduce unnecessary creation of ReplicationEnableCb objects PR #3960
• Avoid compaction to trigger extra flushes DbLedgerStorage PR #3959
• When the executor has been shut down, do not schedule task PR #3946
• Drop invalid entryFormat arg from shell command PR #3938
• Enable PCBC completionObjects autoShrink to reduce memory usage and gc PR #3913
• Recycle dropping read-write requests when various exceptions happened PR #3912
• Cleanup CbThreadFactory PR #3907
• Return activeLogChannel if new create PR #3894
• Prevent transit to writable mode when forceReadOnly mode is active PR #3881
• Execute clean indexes in finally PR #3772
• Use ChannelVoidPromise to avoid useless promise objects creation PR #3733

Dependency updates

• Upgrade grpc and protobuf to address CVE-2023-32732 PR #3992
• [Branch-4.16] Downgrade grpc and protobuf to avoid introducing breaking change PR #4001
• Fix issue with binary compatibility with older grpc versions at runtime in the client PR #3997
• Upgrade snappy-java to address multiple CVEs PR #3993
• Upgrade Netty to 4.1.93.Final PR #3975
• Upgrade jetty version to 9.4.51.v20230217 PR #3937
• Upgrade docusaurus to 2.4.0 PR #3936
• Upgrade docker base image to resolve CVE-2023-0286 PR #3916
• Remove avro, hadoop-auth and jersey-json dependencies from hadoop-common to resolve CVE-2019-10202, CVE-2023-1370 and CVE-2022-45685 PR #3911

Details

https://github.com/apache/bookkeeper/pulls?q=is%3Apr+label%3Arelease%2F4.16.2+is%3Aclosed