We will announce the releases when the binaries are available.
On 16/12/2021 05:37, Parag Somani wrote:
Thank you Chesnay for expediting this fix...!
Can you suggest, when can I get binaries for 1.14.2 flink version?
On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ches...@apache.org>
wrote:
We will push docker images for all new releases, yes.
On 16/12/2021 01:16, Michael Guterl wrote:
Will you all be pushing Docker images for the 1.11.6 release?
On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler
<ches...@apache.org> wrote:
The current ETA is 40h for an official announcement.
We are validating the release today (concludes in 16h),
publish it tonight, then wait for mirrors to be sync (about a
day), then we announce it.
On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
Hello,
Could you please tell when we can expect Flink 1.12.7
release? We are waiting for the CVE fix.
Regards,
Suchithra
*From:*Chesnay Schepler <ches...@apache.org>
<mailto:ches...@apache.org>
*Sent:* Wednesday, December 15, 2021 4:04 PM
*To:* Richard Deurwaarder <rich...@xeli.eu>
<mailto:rich...@xeli.eu>
*Cc:* user <user@flink.apache.org>
<mailto:user@flink.apache.org>
*Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
We will also update the docker images.
On 15/12/2021 11:29, Richard Deurwaarder wrote:
Thanks for picking this up quickly!
I saw you've made a second minor upgrade to upgrade to
log4j2 2.16 which is perfect.
Just to clarify: Will you also push new docker images
for these releases as well? In particular flink 1.11.6
(Sorry we must upgrade soon! :()
On Tue, Dec 14, 2021 at 2:33 AM narasimha
<swamy.haj...@gmail.com> wrote:
Thanks TImo, that was helpful.
On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar
<prasannakumarram...@gmail.com> wrote:
Chesnay Thank you for the clarification.
On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler
<ches...@apache.org> wrote:
The flink-shaded-zookeeper jars do not
contain log4j.
On 13/12/2021 14:11, Prasanna kumar wrote:
Does Zookeeper have this vulnerability
dependency ? I see references to log4j
in Shaded Zookeeper jar included as part
of the flink distribution.
On Mon, Dec 13, 2021 at 1:40 PM Timo
Walther <twal...@apache.org> wrote:
While we are working to upgrade the
affected dependencies of all
components, we recommend users
follow the advisory of the Apache Log4j
Community. Also Ververica platform
can be patched with a similar approach:
To configure the JVMs used by
Ververica Platform, you can pass custom
Java options via the
JAVA_TOOL_OPTIONS environment
variable. Add the
following to your platform
values.yaml, or append to the
existing value
of JAVA_TOOL_OPTIONS if you are
using it already there, then redeploy
the platform with Helm:
env:
- name: JAVA_TOOL_OPTIONS
value:
-Dlog4j2.formatMsgNoLookups=true
For any questions, please contact us
via our support portal.
Regards,
Timo
On 11.12.21 06:45, narasimha wrote:
> Folks, what about the veverica
platform. Is there any
mitigation around it?
>
> On Fri, Dec 10, 2021 at 3:32 PM
Chesnay Schepler <ches...@apache.org
> <mailto:ches...@apache.org>> wrote:
>
> I would recommend to modify
your log4j configurations to set
> log4j2.formatMsgNoLookups to true/./
> /
> /
> As far as I can tell this is
equivalent to upgrading log4j, which
> just disabled this lookup by
default.
> /
> /
> On 10/12/2021 10:21, Richard
Deurwaarder wrote:
>> Hello,
>>
>> There has been a log4j2
vulnerability made public
>>
https://www.randori.com/blog/cve-2021-44228/
>>
<https://www.randori.com/blog/cve-2021-44228/>
which is making
>> some waves :)
>> This post even explicitly
mentions Apache Flink:
>>
https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>>
<https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/>
>>
>> And fortunately, I saw this
was already on your radar:
>>
https://issues.apache.org/jira/browse/FLINK-25240
>>
<https://issues.apache.org/jira/browse/FLINK-25240>
>>
>> What would the advice be for
flink users? Do you expect to push a
>> minor to fix this? Or is it
advisable to upgrade to the latest
>> log4j2 version manually for now?
>>
>> Thanks for any advice!
>
>
>
>
> --
> A.Narasimha Swamy
--
A.Narasimha Swamy
--
Regards,
Parag Surajmal Somani.