I will start preparing the release candidates. On 12/12/2021 23:23, Stephan Ewen wrote:
Hi all!Without doubt, you heard about the log4j vulnerability [1]. There is an advisory blog post on how to mitigate this in Apache Flink [2], which involves setting a config option and restarting the processes. That is fortunately a relatively simple fix. Despite this workaround, I think we should do an immediate release with the updated dependency. Meaning not waiting for the next bug fix releases coming in a few weeks, but releasing asap. The mood I perceive in the industry is pretty much panicky over this, and I expect we will see many requests for a patched release and many discussions why the workaround alone would not be enough due to certain guidelines. I suggest that we preempt those discussions and create releases the following way: - we take the latest already released versions from each release branch: ==> 1.14.0, 1.13.3, 1.12.5, 1.11.4 - we add a single commit to those that just updates the log4j dependency - we release those as 1.14.1, 1.13.4, 1.12.6, 1.11.5, etc. - that way we don't need to do functional release tests, because the released code is identical to the previous release, except for the log4j dependency - we can then continue the work on the upcoming bugfix releases as planned, without high pressure I would suggest creating those RCs immediately and release them with a special voting period (24h or so). WDYT? Best, Stephan [1] https://nvd.nist.gov/vuln/detail/CVE-2021-44228 [2] https://flink.apache.org/2021/12/10/log4j-cve.html
