Given that these artifacts are published already, users can use them if they want to update now:
For example: https://search.maven.org/artifact/org.apache.flink/flink-core/1.14.1/jar Just for the users that really want to update now (rather than rely on the mitigation via config) and are not as much concerned about the remaining weakness in log4j 2.15.0 On Tue, Dec 14, 2021 at 11:18 PM Seth Wiesman <sjwies...@gmail.com> wrote: > Thank you for managing these updates Chesnay! > > > > On Tue, Dec 14, 2021 at 3:51 PM Chesnay Schepler <ches...@apache.org> > wrote: > > > Since the maven artifacts have already been published we will use the > > next patch version for each release, i.e.: > > 1.11.6 > > 1.12.7 > > 1.13.5 > > 1.14.2 > > > > (We could technically just update the source/binaries, but that seems > > fishy). > > > > On 14/12/2021 22:38, Chesnay Schepler wrote: > > > I'm canceling the release because the issue was not fully fixed in > > > Log4j 2.15.0; see CVE-2021-45046. > > > > > > I will start preparing new release candidates that use Log4j 2.16.0 . > > > > > > On 14/12/2021 21:28, Chesnay Schepler wrote: > > >> The vote duration has passed and we have approved the releases. > > >> > > >> Binding votes: > > >> * Stephan > > >> * Till > > >> * Xintong > > >> * Zhu > > >> * Gordon > > >> > > >> I will not finalize the release. > > >> > > >> On 13/12/2021 20:28, Chesnay Schepler wrote: > > >>> Hi everyone, > > >>> > > >>> This vote is for the emergency patch releases for 1.11, 1.12, 1.13 > > >>> and 1.14 to address CVE-2021-44228. > > >>> It covers all 4 releases as they contain the same changes (upgrading > > >>> Log4j to 2.15.0) and were prepared simultaneously by the same person. > > >>> (Hence, if something is broken, it likely applies to all releases) > > >>> > > >>> Please review and vote on the release candidate #1 for the versions > > >>> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows: > > >>> [ ] +1, Approve the releases > > >>> [ ] -1, Do not approve the releases (please provide specific > comments) > > >>> > > >>> The complete staging area is available for your review, which > includes: > > >>> * JIRA release notes [1], > > >>> * the official Apache source releases and binary convenience > > >>> releases to be deployed to dist.apache.org [2], which are signed > > >>> with the key with fingerprint C2EED7B111D464BA [3], > > >>> * all artifacts to be deployed to the Maven Central Repository [4], > > >>> * *the jars for 1.13/1.14 are still being built* > > >>> * source code tags [5], > > >>> * website pull request listing the new releases and adding > > >>> announcement blog post [6]. > > >>> > > >>> The vote will be open for at least 24 hours. The minimum vote time > > >>> has been shortened as the changes are minimal and the matter is > urgent. > > >>> It is adopted by majority approval, with at least 3 PMC affirmative > > >>> votes. > > >>> > > >>> Thanks, > > >>> Chesnay > > >>> > > >>> [1] > > >>> 1.11: > > >>> > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327 > > >>> 1.12: > > >>> > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328 > > >>> 1.13: > > >>> > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686 > > >>> 1.14: > > >>> > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512 > > >>> [2] > > >>> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/ > > >>> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/ > > >>> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/ > > >>> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/ > > >>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS > > >>> [4] > > >>> 1.11/1.12: > > >>> > https://repository.apache.org/content/repositories/orgapacheflink-1455 > > >>> 1.13: > > >>> > https://repository.apache.org/content/repositories/orgapacheflink-1457 > > >>> 1.14: > > >>> > https://repository.apache.org/content/repositories/orgapacheflink-1456 > > >>> [5] > > >>> 1.11: > https://github.com/apache/flink/releases/tag/release-1.11.5-rc1 > > >>> 1.12: > https://github.com/apache/flink/releases/tag/release-1.12.6-rc1 > > >>> 1.13: > https://github.com/apache/flink/releases/tag/release-1.13.4-rc1 > > >>> 1.14: > https://github.com/apache/flink/releases/tag/release-1.14.1-rc1 > > >>> [6] https://github.com/apache/flink-web/pull/489 > > >>> > > >> > > > > > > > >