Hi Surendra, You can follow the discussion on this topic in the Dev mailing list [1]. I would expect it in the next couple of weeks.
Best regards, Martijn [1] https://lists.apache.org/thread/n417406j125n080vopljgfflc45yygh4 On Fri, 4 Feb 2022 at 08:49, Surendra Lalwani <surendra.lalw...@swiggy.in> wrote: > Hi Team, > > Any ETA on Flink version 1.13.6 release. > > Thanks and Regards , > Surendra Lalwani > > > On Sun, Jan 9, 2022 at 3:50 PM David Morávek <d...@apache.org> wrote: > >> Flink community officially only supports current and previous minor >> versions [1] (1.13, 1.14) with bug fixes. Personally I wouldn’t expect >> there will be another patch release for 1.12. >> >> If you really need an extra release for the unsupported version, the most >> straightforward approach would be manually building the Flink distribution >> from sources [2] with the patches you need. >> >> [1] >> https://flink.apache.org/downloads.html#update-policy-for-old-releases >> [2] >> >> https://github.com/apache/flink/tree/release-1.12#building-apache-flink-from-source >> >> D. >> >> On Sun 9. 1. 2022 at 10:10, V N, Suchithra (Nokia - IN/Bangalore) < >> suchithra....@nokia.com> wrote: >> >>> Hi David, >>> >>> >>> >>> As per the below comments, Flink 1.14.3 is in preparation and this >>> hasn't started yet for Flink 1.13.6. Flink 1.12.8 release will be >>> planned after this? If there is no current plan, could you please let us >>> know what will be the regular release timing for 1.12.8 version. >>> >>> >>> >>> Regards, >>> >>> Suchithra >>> >>> >>> >>> *From:* David Morávek <d...@apache.org> >>> *Sent:* Sunday, January 9, 2022 12:11 AM >>> *To:* V N, Suchithra (Nokia - IN/Bangalore) <suchithra....@nokia.com> >>> *Cc:* Chesnay Schepler <ches...@apache.org>; Martijn Visser < >>> mart...@ververica.com>; Michael Guterl <gute...@justin.tv>; Parag >>> Somani <somanipa...@gmail.com>; patrick.eif...@sony.com; Richard >>> Deurwaarder <rich...@xeli.eu>; User <user@flink.apache.org>; >>> subharaj.ma...@gmail.com; swamy.haj...@gmail.com >>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability >>> >>> >>> >>> Hi Suchithra, >>> >>> >>> >>> there is currently no plan on doing another 1.12 release >>> >>> >>> >>> D. >>> >>> >>> >>> On Sat 8. 1. 2022 at 18:02, V N, Suchithra (Nokia - IN/Bangalore) < >>> suchithra....@nokia.com> wrote: >>> >>> Hi, >>> >>> >>> >>> When can we expect the flink 1.12 releases with log4j 2.17.1? >>> >>> >>> >>> Thanks, >>> >>> Suchithra >>> >>> >>> >>> *From:* Martijn Visser <mart...@ververica.com> >>> *Sent:* Thursday, January 6, 2022 7:45 PM >>> *To:* patrick.eif...@sony.com >>> *Cc:* David Morávek <d...@apache.org>; swamy.haj...@gmail.com; >>> subharaj.ma...@gmail.com; V N, Suchithra (Nokia - IN/Bangalore) < >>> suchithra....@nokia.com>; Chesnay Schepler <ches...@apache.org>; User < >>> user@flink.apache.org>; Michael Guterl <gute...@justin.tv>; Richard >>> Deurwaarder <rich...@xeli.eu>; Parag Somani <somanipa...@gmail.com> >>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability >>> >>> >>> >>> Hi all, >>> >>> >>> >>> The ticket for upgrading Log4J to 2.17.0 is >>> https://issues.apache.org/jira/browse/FLINK-25375. There's also the >>> update to Log4j 2.17.1 which is tracked under >>> https://issues.apache.org/jira/browse/FLINK-25472 >>> >>> >>> >>> As you can see, both have a fix version set to 1.14.3 and 1.13.6. These >>> versions haven't been released yet. Flink 1.14.3 is in preparation, this >>> hasn't started yet for Flink 1.13.6. >>> >>> >>> >>> Best regards, >>> >>> >>> >>> Martijn >>> >>> >>> >>> On Thu, 6 Jan 2022 at 15:05, <patrick.eif...@sony.com> wrote: >>> >>> Hi, >>> >>> >>> >>> just to be sure: Which Flink Releases for 1.14 and 1.13 have the >>> upgraded log4j version 2.17.0? >>> >>> Are those already deployed to docker? >>> >>> >>> >>> Many Thanks in Advance. >>> >>> >>> >>> Kind Regards, >>> >>> >>> >>> Patrick >>> >>> -- >>> >>> Patrick Eifler >>> >>> >>> >>> Senior Software Engineer (BI) >>> >>> Cloud Gaming Engineering & Infrastructure >>> Sony Interactive Entertainment LLC >>> >>> Wilhelmstraße 118, 10963 Berlin >>> >>> >>> Germany >>> >>> E: patrick.eif...@sony.com >>> >>> >>> >>> *From: *David Morávek <d...@apache.org> >>> *Date: *Wednesday, 29. December 2021 at 09:35 >>> *To: *narasimha <swamy.haj...@gmail.com> >>> *Cc: *Debraj Manna <subharaj.ma...@gmail.com>, Martijn Visser < >>> mart...@ververica.com>, V N, Suchithra (Nokia - IN/Bangalore) < >>> suchithra....@nokia.com>, Chesnay Schepler <ches...@apache.org>, user < >>> user@flink.apache.org>, Michael Guterl <gute...@justin.tv>, Richard >>> Deurwaarder <rich...@xeli.eu>, Parag Somani <somanipa...@gmail.com> >>> *Subject: *Re: CVE-2021-44228 - Log4j2 vulnerability >>> >>> Please follow the above mentioned ML thread for more details. Please >>> note that this is a REGULAR release that is not motivated by the log4j CVE, >>> so the stability of the release is the more important factor then having it >>> out as soon as possible. >>> >>> >>> >>> D. >>> >>> >>> >>> On Mon, Dec 27, 2021 at 6:33 AM narasimha <swamy.haj...@gmail.com> >>> wrote: >>> >>> Hi folks, >>> >>> >>> >>> When can we expect the release to be made available to the community? >>> >>> >>> >>> On Wed, Dec 22, 2021 at 3:07 PM David Morávek <d...@apache.org> wrote: >>> >>> Hi Debraj, >>> >>> >>> >>> we're currently not planning another emergency release as this CVE is >>> not as critical for Flink users as the previous one. However, this patch >>> will be included in all upcoming patch & minor releases. The patch release >>> for the 1.14.x branch is already in progress [1] (it may be bit delayed due >>> to the holiday season). >>> >>> >>> >>> [1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk >>> <https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$> >>> >>> >>> >>> Best, >>> >>> D. >>> >>> >>> >>> On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <subharaj.ma...@gmail.com> >>> wrote: >>> >>> Any idea when can we expect >>> https://issues.apache.org/jira/browse/FLINK-25375 >>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$> >>> to be released? >>> >>> >>> >>> On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <mart...@ververica.com> >>> wrote: >>> >>> Hi, >>> >>> >>> >>> The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked >>> at https://issues.apache.org/jira/browse/FLINK-25375 >>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$> >>> . >>> >>> >>> >>> Best regards, >>> >>> >>> >>> Martijn >>> >>> >>> >>> On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) < >>> suchithra....@nokia.com> wrote: >>> >>> Hi, >>> >>> >>> >>> It seems there is high severity vulnerability in log4j 2.16.0.( >>> CVE-2021-45105 >>> <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$> >>> ) >>> >>> Refer : https://logging.apache.org/log4j/2.x/security.html >>> <https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$> >>> >>> Any update on this please? >>> >>> >>> >>> Regards, >>> >>> Suchithra >>> >>> >>> >>> *From:* Chesnay Schepler <ches...@apache.org> >>> *Sent:* Thursday, December 16, 2021 4:35 PM >>> *To:* Parag Somani <somanipa...@gmail.com> >>> *Cc:* Michael Guterl <gute...@justin.tv>; V N, Suchithra (Nokia - >>> IN/Bangalore) <suchithra....@nokia.com>; Richard Deurwaarder < >>> rich...@xeli.eu>; user <user@flink.apache.org> >>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability >>> >>> >>> >>> We will announce the releases when the binaries are available. >>> >>> >>> >>> On 16/12/2021 05:37, Parag Somani wrote: >>> >>> Thank you Chesnay for expediting this fix...! >>> >>> >>> >>> Can you suggest, when can I get binaries for 1.14.2 flink version? >>> >>> >>> >>> On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ches...@apache.org> >>> wrote: >>> >>> We will push docker images for all new releases, yes. >>> >>> >>> >>> On 16/12/2021 01:16, Michael Guterl wrote: >>> >>> Will you all be pushing Docker images for the 1.11.6 release? >>> >>> >>> >>> On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ches...@apache.org> >>> wrote: >>> >>> The current ETA is 40h for an official announcement. >>> >>> We are validating the release today (concludes in 16h), publish it >>> tonight, then wait for mirrors to be sync (about a day), then we announce >>> it. >>> >>> >>> >>> On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote: >>> >>> Hello, >>> >>> >>> >>> Could you please tell when we can expect Flink 1.12.7 release? We are >>> waiting for the CVE fix. >>> >>> >>> >>> Regards, >>> >>> Suchithra >>> >>> >>> >>> >>> >>> *From:* Chesnay Schepler <ches...@apache.org> <ches...@apache.org> >>> *Sent:* Wednesday, December 15, 2021 4:04 PM >>> *To:* Richard Deurwaarder <rich...@xeli.eu> <rich...@xeli.eu> >>> *Cc:* user <user@flink.apache.org> <user@flink.apache.org> >>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability >>> >>> >>> >>> We will also update the docker images. >>> >>> >>> >>> On 15/12/2021 11:29, Richard Deurwaarder wrote: >>> >>> Thanks for picking this up quickly! >>> >>> >>> >>> I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which >>> is perfect. >>> >>> >>> >>> Just to clarify: Will you also push new docker images for these releases >>> as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :() >>> >>> >>> >>> On Tue, Dec 14, 2021 at 2:33 AM narasimha <swamy.haj...@gmail.com> >>> wrote: >>> >>> Thanks TImo, that was helpful. >>> >>> >>> >>> On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar < >>> prasannakumarram...@gmail.com> wrote: >>> >>> Chesnay Thank you for the clarification. >>> >>> >>> >>> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ches...@apache.org> >>> wrote: >>> >>> The flink-shaded-zookeeper jars do not contain log4j. >>> >>> >>> >>> On 13/12/2021 14:11, Prasanna kumar wrote: >>> >>> Does Zookeeper have this vulnerability dependency ? I see references to >>> log4j in Shaded Zookeeper jar included as part of the flink distribution. >>> >>> >>> >>> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org> wrote: >>> >>> While we are working to upgrade the affected dependencies of all >>> components, we recommend users follow the advisory of the Apache Log4j >>> Community. Also Ververica platform can be patched with a similar >>> approach: >>> >>> To configure the JVMs used by Ververica Platform, you can pass custom >>> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the >>> following to your platform values.yaml, or append to the existing value >>> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy >>> the platform with Helm: >>> env: >>> - name: JAVA_TOOL_OPTIONS >>> value: -Dlog4j2.formatMsgNoLookups=true >>> >>> >>> For any questions, please contact us via our support portal. >>> >>> Regards, >>> Timo >>> >>> On 11.12.21 06:45, narasimha wrote: >>> > Folks, what about the veverica platform. Is there any >>> mitigation around it? >>> > >>> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ches...@apache.org >>> > <mailto:ches...@apache.org>> wrote: >>> > >>> > I would recommend to modify your log4j configurations to set >>> > log4j2.formatMsgNoLookups to true/./ >>> > / >>> > / >>> > As far as I can tell this is equivalent to upgrading log4j, which >>> > just disabled this lookup by default. >>> > / >>> > / >>> > On 10/12/2021 10:21, Richard Deurwaarder wrote: >>> >> Hello, >>> >> >>> >> There has been a log4j2 vulnerability made public >>> >> https://www.randori.com/blog/cve-2021-44228/ >>> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$> >>> >> <https://www.randori.com/blog/cve-2021-44228/ >>> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>> >>> which is making >>> >> some waves :) >>> >> This post even explicitly mentions Apache Flink: >>> >> >>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ >>> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$> >>> >> < >>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ >>> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$> >>> > >>> >> >>> >> And fortunately, I saw this was already on your radar: >>> >> https://issues.apache.org/jira/browse/FLINK-25240 >>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$> >>> >> <https://issues.apache.org/jira/browse/FLINK-25240 >>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$> >>> > >>> >> >>> >> What would the advice be for flink users? Do you expect to push a >>> >> minor to fix this? Or is it advisable to upgrade to the latest >>> >> log4j2 version manually for now? >>> >> >>> >> Thanks for any advice! >>> > >>> > >>> > >>> > >>> > -- >>> > A.Narasimha Swamy >>> >>> >>> >>> >>> >>> >>> -- >>> >>> A.Narasimha Swamy >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> >>> Regards, >>> Parag Surajmal Somani. >>> >>> >>> >>> >>> >>> >>> -- >>> >>> A.Narasimha Swamy >>> >>> > > ------------------------------ > IMPORTANT NOTICE: This e-mail, including any attachments, may contain > confidential information and is intended only for the addressee(s) named > above. If you are not the intended recipient(s), you should not > disseminate, distribute, or copy this e-mail. Please notify the sender by > reply e-mail immediately if you have received this e-mail in error and > permanently delete all copies of the original message from your system. > E-mail transmission cannot be guaranteed to be secure as it could be > intercepted, corrupted, lost, destroyed, arrive late or incomplete, or > contain viruses. Company accepts no liability for any damage or loss of > confidential information caused by this email or due to any virus > transmitted by this email or otherwise.
