[fix][sec] Upgrade Zookeeper to 3.8.3 to address CVE-2023-44981

[lhotari]

Motivation

OWASP dependency check reports CVE-2023-44981 for Zookeeper.

Modifications

Upgrade Zookeeper to 3.8.3.
Release notes: https://zookeeper.apache.org/doc/r3.8.3/releasenotes.html

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 73.32%. Comparing base (b1bca56) to head (38fd3bc).
Report is 1501 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #21398      +/-   ##
============================================
+ Coverage     73.27%   73.32%   +0.05%     
+ Complexity    32581    32580       -1     
============================================
  Files          1888     1888              
  Lines        140282   140279       -3     
  Branches      15415    15416       +1     
============================================
+ Hits         102790   102861      +71     
+ Misses        29415    29338      -77     
- Partials       8077     8080       +3     

Flag	Coverage Δ
inttests	24.19% <ø> (+0.03%)	⬆️
systests	24.77% <ø> (+0.06%)	⬆️
unittests	72.60% <ø> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 70 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[compuguy]

Out of curiosity, because of the severity of CVE-2023-44981, will this cherry picked to fix the recent release of 3.1.1? Or will 3.1.2 be expedited?

[lhotari]

Out of curiosity, because of the severity of CVE-2023-44981, will this cherry picked to fix the recent release of 3.1.1? Or will 3.1.2 be expedited?

@compuguy Unfortunately, this didn't make it to 3.1.1. . The release decisions are made on the dev mailing list. I have started this email thread: https://lists.apache.org/thread/czjtyxhfdbowptf34qs7r4o1qdpql5kh . I think it could justify expediting 3.1.2 release.

[compuguy]

I understand @lhotari. I honestly think that's a great justification for pushing that before 3.2. Plus fixing #21280, #21397, and #21395 would be beneficial. 👍

[Debashish-Mallick]

@lhotari Because of severity we cherry-picked to pulsar 2.10.4 , facing many issues during compile time Itself. Could you please suggest, whether It is applicable for 2.10.4 ? Seeing 2.10.6 labels is being added .