We will announce the releases when the binaries are available.

On 16/12/2021 05:37, Parag Somani wrote:
Thank you Chesnay for expediting this fix...!

Can you suggest, when can I get binaries for 1.14.2 flink version?

On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ches...@apache.org> wrote:

    We will push docker images for all new releases, yes.

    On 16/12/2021 01:16, Michael Guterl wrote:
    Will you all be pushing Docker images for the 1.11.6 release?

    On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler
    <ches...@apache.org> wrote:

        The current ETA is 40h for an official announcement.
        We are validating the release today (concludes in 16h),
        publish it tonight, then wait for mirrors to be sync (about a
        day), then we announce it.

        On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:

        Hello,

        Could you please tell when we can expect Flink 1.12.7
        release? We are waiting for the CVE fix.

        Regards,

        Suchithra

        *From:*Chesnay Schepler <ches...@apache.org>
        <mailto:ches...@apache.org>
        *Sent:* Wednesday, December 15, 2021 4:04 PM
        *To:* Richard Deurwaarder <rich...@xeli.eu>
        <mailto:rich...@xeli.eu>
        *Cc:* user <user@flink.apache.org>
        <mailto:user@flink.apache.org>
        *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability

        We will also update the docker images.

        On 15/12/2021 11:29, Richard Deurwaarder wrote:

            Thanks for picking this up quickly!

            I saw you've made a second minor upgrade to upgrade to
            log4j2 2.16 which is perfect.

            Just to clarify: Will you also push new docker images
            for these releases as well? In particular flink 1.11.6
            (Sorry we must upgrade soon! :()

            On Tue, Dec 14, 2021 at 2:33 AM narasimha
            <swamy.haj...@gmail.com> wrote:

                Thanks TImo, that was helpful.

                On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar
                <prasannakumarram...@gmail.com> wrote:

                    Chesnay Thank you for the clarification.

                    On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler
                    <ches...@apache.org> wrote:

                        The flink-shaded-zookeeper jars do not
                        contain log4j.

                        On 13/12/2021 14:11, Prasanna kumar wrote:

                            Does Zookeeper have this vulnerability
                            dependency ? I see references to log4j
                            in Shaded Zookeeper jar included as part
                            of the flink distribution.

                            On Mon, Dec 13, 2021 at 1:40 PM Timo
                            Walther <twal...@apache.org> wrote:

                                While we are working to upgrade the
                                affected dependencies of all
                                components, we recommend users
                                follow the advisory of the Apache Log4j
                                Community. Also Ververica platform
                                can be patched with a similar approach:

                                To configure the JVMs used by
                                Ververica Platform, you can pass custom
                                Java options via the
                                JAVA_TOOL_OPTIONS environment
                                variable. Add the
                                following to your platform
                                values.yaml, or append to the
                                existing value
                                of JAVA_TOOL_OPTIONS if you are
                                using it already there, then redeploy
                                the platform with Helm:
                                env:
                                   - name: JAVA_TOOL_OPTIONS
                                     value:
                                -Dlog4j2.formatMsgNoLookups=true


                                For any questions, please contact us
                                via our support portal.

                                Regards,
                                Timo

                                On 11.12.21 06:45, narasimha wrote:
                                > Folks, what about the veverica
                                platform. Is there any
                                mitigation around it?
                                >
                                > On Fri, Dec 10, 2021 at 3:32 PM
                                Chesnay Schepler <ches...@apache.org
                                > <mailto:ches...@apache.org>> wrote:
                                >
                                >     I would recommend to modify
                                your log4j configurations to set
                                >  log4j2.formatMsgNoLookups to true/./
                                >     /
                                >     /
                                >     As far as I can tell this is
                                equivalent to upgrading log4j, which
                                >     just disabled this lookup by
                                default.
                                >     /
                                >     /
                                >     On 10/12/2021 10:21, Richard
                                Deurwaarder wrote:
                                >>     Hello,
                                >>
                                >>     There has been a log4j2
                                vulnerability made public
                                >>
                                https://www.randori.com/blog/cve-2021-44228/
                                >>   
                                 <https://www.randori.com/blog/cve-2021-44228/>
                                which is making
                                >>     some waves :)
                                >>     This post even explicitly
                                mentions Apache Flink:
                                >>
                                
https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
                                >>   
                                 
<https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/>
                                >>
                                >>     And fortunately, I saw this
                                was already on your radar:
                                >>
                                
https://issues.apache.org/jira/browse/FLINK-25240
                                >>   
                                 
<https://issues.apache.org/jira/browse/FLINK-25240>
                                >>
                                >>     What would the advice be for
                                flink users? Do you expect to push a
                                >>     minor to fix this? Or is it
                                advisable to upgrade to the latest
                                >>     log4j2 version manually for now?
                                >>
                                >>     Thanks for any advice!
                                >
                                >
                                >
                                >
                                > --
                                > A.Narasimha Swamy


--
                A.Narasimha Swamy





--
Regards,
Parag Surajmal Somani.

Reply via email to