Hi folks, When can we expect the release to be made available to the community?
On Wed, Dec 22, 2021 at 3:07 PM David Morávek <d...@apache.org> wrote: > Hi Debraj, > > we're currently not planning another emergency release as this CVE is not > as critical for Flink users as the previous one. However, this patch will > be included in all upcoming patch & minor releases. The patch release for > the 1.14.x branch is already in progress [1] (it may be bit delayed due to > the holiday season). > > [1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk > > Best, > D. > > On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <subharaj.ma...@gmail.com> > wrote: > >> Any idea when can we expect >> https://issues.apache.org/jira/browse/FLINK-25375 to be released? >> >> On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <mart...@ververica.com> >> wrote: >> >>> Hi, >>> >>> The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked >>> at https://issues.apache.org/jira/browse/FLINK-25375. >>> >>> Best regards, >>> >>> Martijn >>> >>> On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) < >>> suchithra....@nokia.com> wrote: >>> >>>> Hi, >>>> >>>> >>>> >>>> It seems there is high severity vulnerability in log4j 2.16.0.( >>>> CVE-2021-45105 >>>> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) >>>> >>>> Refer : https://logging.apache.org/log4j/2.x/security.html >>>> >>>> Any update on this please? >>>> >>>> >>>> >>>> Regards, >>>> >>>> Suchithra >>>> >>>> >>>> >>>> *From:* Chesnay Schepler <ches...@apache.org> >>>> *Sent:* Thursday, December 16, 2021 4:35 PM >>>> *To:* Parag Somani <somanipa...@gmail.com> >>>> *Cc:* Michael Guterl <gute...@justin.tv>; V N, Suchithra (Nokia - >>>> IN/Bangalore) <suchithra....@nokia.com>; Richard Deurwaarder < >>>> rich...@xeli.eu>; user <user@flink.apache.org> >>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability >>>> >>>> >>>> >>>> We will announce the releases when the binaries are available. >>>> >>>> >>>> >>>> On 16/12/2021 05:37, Parag Somani wrote: >>>> >>>> Thank you Chesnay for expediting this fix...! >>>> >>>> >>>> >>>> Can you suggest, when can I get binaries for 1.14.2 flink version? >>>> >>>> >>>> >>>> On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ches...@apache.org> >>>> wrote: >>>> >>>> We will push docker images for all new releases, yes. >>>> >>>> >>>> >>>> On 16/12/2021 01:16, Michael Guterl wrote: >>>> >>>> Will you all be pushing Docker images for the 1.11.6 release? >>>> >>>> >>>> >>>> On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ches...@apache.org> >>>> wrote: >>>> >>>> The current ETA is 40h for an official announcement. >>>> >>>> We are validating the release today (concludes in 16h), publish it >>>> tonight, then wait for mirrors to be sync (about a day), then we announce >>>> it. >>>> >>>> >>>> >>>> On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote: >>>> >>>> Hello, >>>> >>>> >>>> >>>> Could you please tell when we can expect Flink 1.12.7 release? We are >>>> waiting for the CVE fix. >>>> >>>> >>>> >>>> Regards, >>>> >>>> Suchithra >>>> >>>> >>>> >>>> >>>> >>>> *From:* Chesnay Schepler <ches...@apache.org> <ches...@apache.org> >>>> *Sent:* Wednesday, December 15, 2021 4:04 PM >>>> *To:* Richard Deurwaarder <rich...@xeli.eu> <rich...@xeli.eu> >>>> *Cc:* user <user@flink.apache.org> <user@flink.apache.org> >>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability >>>> >>>> >>>> >>>> We will also update the docker images. >>>> >>>> >>>> >>>> On 15/12/2021 11:29, Richard Deurwaarder wrote: >>>> >>>> Thanks for picking this up quickly! >>>> >>>> >>>> >>>> I saw you've made a second minor upgrade to upgrade to log4j2 2.16 >>>> which is perfect. >>>> >>>> >>>> >>>> Just to clarify: Will you also push new docker images for these >>>> releases as well? In particular flink 1.11.6 (Sorry we must upgrade soon! >>>> :() >>>> >>>> >>>> >>>> On Tue, Dec 14, 2021 at 2:33 AM narasimha <swamy.haj...@gmail.com> >>>> wrote: >>>> >>>> Thanks TImo, that was helpful. >>>> >>>> >>>> >>>> On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar < >>>> prasannakumarram...@gmail.com> wrote: >>>> >>>> Chesnay Thank you for the clarification. >>>> >>>> >>>> >>>> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ches...@apache.org> >>>> wrote: >>>> >>>> The flink-shaded-zookeeper jars do not contain log4j. >>>> >>>> >>>> >>>> On 13/12/2021 14:11, Prasanna kumar wrote: >>>> >>>> Does Zookeeper have this vulnerability dependency ? I see references to >>>> log4j in Shaded Zookeeper jar included as part of the flink distribution. >>>> >>>> >>>> >>>> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org> >>>> wrote: >>>> >>>> While we are working to upgrade the affected dependencies of all >>>> components, we recommend users follow the advisory of the Apache Log4j >>>> Community. Also Ververica platform can be patched with a similar >>>> approach: >>>> >>>> To configure the JVMs used by Ververica Platform, you can pass custom >>>> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the >>>> following to your platform values.yaml, or append to the existing value >>>> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy >>>> the platform with Helm: >>>> env: >>>> - name: JAVA_TOOL_OPTIONS >>>> value: -Dlog4j2.formatMsgNoLookups=true >>>> >>>> >>>> For any questions, please contact us via our support portal. >>>> >>>> Regards, >>>> Timo >>>> >>>> On 11.12.21 06:45, narasimha wrote: >>>> > Folks, what about the veverica platform. Is there any >>>> mitigation around it? >>>> > >>>> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ches...@apache.org >>>> > <mailto:ches...@apache.org>> wrote: >>>> > >>>> > I would recommend to modify your log4j configurations to set >>>> > log4j2.formatMsgNoLookups to true/./ >>>> > / >>>> > / >>>> > As far as I can tell this is equivalent to upgrading log4j, which >>>> > just disabled this lookup by default. >>>> > / >>>> > / >>>> > On 10/12/2021 10:21, Richard Deurwaarder wrote: >>>> >> Hello, >>>> >> >>>> >> There has been a log4j2 vulnerability made public >>>> >> https://www.randori.com/blog/cve-2021-44228/ >>>> >> <https://www.randori.com/blog/cve-2021-44228/> which is making >>>> >> some waves :) >>>> >> This post even explicitly mentions Apache Flink: >>>> >> >>>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ >>>> >> < >>>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ >>>> > >>>> >> >>>> >> And fortunately, I saw this was already on your radar: >>>> >> https://issues.apache.org/jira/browse/FLINK-25240 >>>> >> <https://issues.apache.org/jira/browse/FLINK-25240> >>>> >> >>>> >> What would the advice be for flink users? Do you expect to push a >>>> >> minor to fix this? Or is it advisable to upgrade to the latest >>>> >> log4j2 version manually for now? >>>> >> >>>> >> Thanks for any advice! >>>> > >>>> > >>>> > >>>> > >>>> > -- >>>> > A.Narasimha Swamy >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> A.Narasimha Swamy >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> Regards, >>>> Parag Surajmal Somani. >>>> >>>> >>>> >>> -- A.Narasimha Swamy
