[fix][sec] Upgrade Zookeeper to 3.8.3 to address CVE-2023-44981

[lhotari]

Motivation

OWASP dependency check reports CVE-2023-44981 for Zookeeper.

Modifications

Upgrade Zookeeper to 3.8.3.
Release notes: https://zookeeper.apache.org/doc/r3.8.3/releasenotes.html

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

[codecov-commenter]

Codecov Report

Merging #21398 (38fd3bc) into master (b1bca56) will increase coverage by 0.05%.
Report is 5 commits behind head on master.
The diff coverage is 100.00%.

@@             Coverage Diff              @@
##             master   #21398      +/-   ##
============================================
+ Coverage     73.27%   73.32%   +0.05%     
+ Complexity    32581    32580       -1     
============================================
  Files          1888     1888              
  Lines        140282   140279       -3     
  Branches      15415    15416       +1     
============================================
+ Hits         102790   102861      +71     
+ Misses        29415    29338      -77     
- Partials       8077     8080       +3     

Flag	Coverage Δ
inttests	24.19% <50.00%> (+0.03%)	⬆️
systests	24.77% <0.00%> (+0.06%)	⬆️
unittests	72.60% <100.00%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
...sar/broker/service/persistent/PersistentTopic.java	79.64% <100.00%> (+0.35%)	⬆️

... and 69 files with indirect coverage changes

[compuguy]

Out of curiosity, because of the severity of CVE-2023-44981, will this cherry picked to fix the recent release of 3.1.1? Or will 3.1.2 be expedited?

[lhotari]

Out of curiosity, because of the severity of CVE-2023-44981, will this cherry picked to fix the recent release of 3.1.1? Or will 3.1.2 be expedited?

@compuguy Unfortunately, this didn't make it to 3.1.1. . The release decisions are made on the dev mailing list. I have started this email thread: https://lists.apache.org/thread/czjtyxhfdbowptf34qs7r4o1qdpql5kh . I think it could justify expediting 3.1.2 release.

[compuguy]

I understand @lhotari. I honestly think that's a great justification for pushing that before 3.2. Plus fixing #21280, #21397, and #21395 would be beneficial. 👍

[Debashish-Mallick]

@lhotari Because of severity we cherry-picked to pulsar 2.10.4 , facing many issues during compile time Itself. Could you please suggest, whether It is applicable for 2.10.4 ? Seeing 2.10.6 labels is being added .