Since the maven artifacts have already been published we will use the
next patch version for each release, i.e.:
1.11.6
1.12.7
1.13.5
1.14.2
(We could technically just update the source/binaries, but that seems
fishy).
On 14/12/2021 22:38, Chesnay Schepler wrote:
I'm canceling the release because the issue was not fully fixed in
Log4j 2.15.0; see CVE-2021-45046.
I will start preparing new release candidates that use Log4j 2.16.0 .
On 14/12/2021 21:28, Chesnay Schepler wrote:
The vote duration has passed and we have approved the releases.
Binding votes:
* Stephan
* Till
* Xintong
* Zhu
* Gordon
I will not finalize the release.
On 13/12/2021 20:28, Chesnay Schepler wrote:
Hi everyone,
This vote is for the emergency patch releases for 1.11, 1.12, 1.13
and 1.14 to address CVE-2021-44228.
It covers all 4 releases as they contain the same changes (upgrading
Log4j to 2.15.0) and were prepared simultaneously by the same person.
(Hence, if something is broken, it likely applies to all releases)
Please review and vote on the release candidate #1 for the versions
1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows:
[ ] +1, Approve the releases
[ ] -1, Do not approve the releases (please provide specific comments)
The complete staging area is available for your review, which includes:
* JIRA release notes [1],
* the official Apache source releases and binary convenience
releases to be deployed to dist.apache.org [2], which are signed
with the key with fingerprint C2EED7B111D464BA [3],
* all artifacts to be deployed to the Maven Central Repository [4],
* *the jars for 1.13/1.14 are still being built*
* source code tags [5],
* website pull request listing the new releases and adding
announcement blog post [6].
The vote will be open for at least 24 hours. The minimum vote time
has been shortened as the changes are minimal and the matter is urgent.
It is adopted by majority approval, with at least 3 PMC affirmative
votes.
Thanks,
Chesnay
[1]
1.11:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327
1.12:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328
1.13:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686
1.14:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512
[2]
1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/
1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/
1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/
1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/
[3] https://dist.apache.org/repos/dist/release/flink/KEYS
[4]
1.11/1.12:
https://repository.apache.org/content/repositories/orgapacheflink-1455
1.13:
https://repository.apache.org/content/repositories/orgapacheflink-1457
1.14:
https://repository.apache.org/content/repositories/orgapacheflink-1456
[5]
1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1
1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1
1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1
1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1
[6] https://github.com/apache/flink-web/pull/489