+1 Thanks for driving this, Sergey. We could also think of removing the ZooKeeper versions 3.5 and 3.6, I guess. 3.6 reached EOL in 2022. Flink 1.17 already switched to 3.7 as the default version.
On Thu, Nov 23, 2023 at 9:31 AM Jing Ge <j...@ververica.com.invalid> wrote: > +1 > > Does it make sense to use 32.1.3-jre Guava? > > Best regards, > Jing > > On Thu, Nov 23, 2023 at 8:42 AM Yun Tang <myas...@live.com> wrote: > > > +1, thanks Sergey for driving this work. > > > > Best > > Yun Tang > > ________________________________ > > From: Leonard Xu <xbjt...@gmail.com> > > Sent: Thursday, November 23, 2023 9:38 > > To: dev <dev@flink.apache.org> > > Subject: Re: [DISCUSS] Towards flink-shaded release 18.0 > > > > +1, thanks Sergey for driving this. > > > > > 2023年11月23日 上午5:46,Martijn Visser <martijnvis...@apache.org> 写道: > > > > > > +1. More than happy to help :) > > > > > > On Wed, Nov 22, 2023 at 9:16 PM Sergey Nuyanzin <snuyan...@gmail.com> > > wrote: > > >> > > >> Hi everyone, > > >> > > >> I would like to start discussion about creating a new 18 release for > > >> flink-shaded[1]. > > >> > > >> Among others it brings fix for ZooKeeper CVE [2], > > >> a couple of Guava CVEs [3], [4] > > >> and support of jdk 21 from netty mentioned in one of > > >> the java 21[5] support subtasks [6] > > >> > > >> Also making a release now will allow to have enough time > > >> for testing before Flink 1.19 release. > > >> > > >> I would volunteer to make the release happen > > >> however probably I guess I will need some PMC help > > >> > > >> > > >> [1] https://github.com/apache/flink-shaded > > >> [2] https://nvd.nist.gov/vuln/detail/CVE-2023-44981 > > >> [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976 > > >> [4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908 > > >> [5] https://issues.apache.org/jira/browse/FLINK-33163 > > >> [6] https://issues.apache.org/jira/browse/FLINK-33331 > > >> > > >> > > >> > > >> > > >> > > >> > > >> -- > > >> Best regards, > > >> Sergey > > > > >
