Hi Surendra,

You can follow the discussion on this topic in the Dev mailing list [1]. I
would expect it in the next couple of weeks.

Best regards,

Martijn

[1] https://lists.apache.org/thread/n417406j125n080vopljgfflc45yygh4

On Fri, 4 Feb 2022 at 08:49, Surendra Lalwani <surendra.lalw...@swiggy.in>
wrote:

> Hi Team,
>
> Any ETA on Flink version 1.13.6 release.
>
> Thanks and Regards ,
> Surendra Lalwani
>
>
> On Sun, Jan 9, 2022 at 3:50 PM David Morávek <d...@apache.org> wrote:
>
>> Flink community officially only supports current and previous minor
>> versions [1] (1.13, 1.14) with bug fixes. Personally I wouldn’t expect
>> there will be another patch release for 1.12.
>>
>> If you really need an extra release for the unsupported version, the most
>> straightforward approach would be manually building the Flink distribution
>> from sources [2] with the patches you need.
>>
>> [1]
>> https://flink.apache.org/downloads.html#update-policy-for-old-releases
>> [2]
>>
>> https://github.com/apache/flink/tree/release-1.12#building-apache-flink-from-source
>>
>> D.
>>
>> On Sun 9. 1. 2022 at 10:10, V N, Suchithra (Nokia - IN/Bangalore) <
>> suchithra....@nokia.com> wrote:
>>
>>> Hi David,
>>>
>>>
>>>
>>> As per the below comments, Flink 1.14.3 is in preparation and this
>>> hasn't started yet for Flink 1.13.6. Flink 1.12.8 release will be
>>> planned after this? If there is no current plan, could you please let us
>>> know what will be the regular release timing for 1.12.8 version.
>>>
>>>
>>>
>>> Regards,
>>>
>>> Suchithra
>>>
>>>
>>>
>>> *From:* David Morávek <d...@apache.org>
>>> *Sent:* Sunday, January 9, 2022 12:11 AM
>>> *To:* V N, Suchithra (Nokia - IN/Bangalore) <suchithra....@nokia.com>
>>> *Cc:* Chesnay Schepler <ches...@apache.org>; Martijn Visser <
>>> mart...@ververica.com>; Michael Guterl <gute...@justin.tv>; Parag
>>> Somani <somanipa...@gmail.com>; patrick.eif...@sony.com; Richard
>>> Deurwaarder <rich...@xeli.eu>; User <user@flink.apache.org>;
>>> subharaj.ma...@gmail.com; swamy.haj...@gmail.com
>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>
>>>
>>>
>>> Hi Suchithra,
>>>
>>>
>>>
>>> there is currently no plan on doing another 1.12 release
>>>
>>>
>>>
>>> D.
>>>
>>>
>>>
>>> On Sat 8. 1. 2022 at 18:02, V N, Suchithra (Nokia - IN/Bangalore) <
>>> suchithra....@nokia.com> wrote:
>>>
>>> Hi,
>>>
>>>
>>>
>>> When can we expect the flink 1.12 releases with log4j 2.17.1?
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Suchithra
>>>
>>>
>>>
>>> *From:* Martijn Visser <mart...@ververica.com>
>>> *Sent:* Thursday, January 6, 2022 7:45 PM
>>> *To:* patrick.eif...@sony.com
>>> *Cc:* David Morávek <d...@apache.org>; swamy.haj...@gmail.com;
>>> subharaj.ma...@gmail.com; V N, Suchithra (Nokia - IN/Bangalore) <
>>> suchithra....@nokia.com>; Chesnay Schepler <ches...@apache.org>; User <
>>> user@flink.apache.org>; Michael Guterl <gute...@justin.tv>; Richard
>>> Deurwaarder <rich...@xeli.eu>; Parag Somani <somanipa...@gmail.com>
>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>
>>>
>>>
>>> Hi all,
>>>
>>>
>>>
>>> The ticket for upgrading Log4J to 2.17.0 is
>>> https://issues.apache.org/jira/browse/FLINK-25375. There's also the
>>> update to Log4j 2.17.1 which is tracked under
>>> https://issues.apache.org/jira/browse/FLINK-25472
>>>
>>>
>>>
>>> As you can see, both have a fix version set to 1.14.3 and 1.13.6. These
>>> versions haven't been released yet. Flink 1.14.3 is in preparation, this
>>> hasn't started yet for Flink 1.13.6.
>>>
>>>
>>>
>>> Best regards,
>>>
>>>
>>>
>>> Martijn
>>>
>>>
>>>
>>> On Thu, 6 Jan 2022 at 15:05, <patrick.eif...@sony.com> wrote:
>>>
>>> Hi,
>>>
>>>
>>>
>>> just to be sure: Which Flink Releases for 1.14 and 1.13 have the
>>> upgraded log4j version 2.17.0?
>>>
>>> Are those already deployed to docker?
>>>
>>>
>>>
>>> Many Thanks in Advance.
>>>
>>>
>>>
>>> Kind Regards,
>>>
>>>
>>>
>>> Patrick
>>>
>>> --
>>>
>>> Patrick Eifler
>>>
>>>
>>>
>>> Senior Software Engineer (BI)
>>>
>>> Cloud Gaming Engineering & Infrastructure
>>> Sony Interactive Entertainment LLC
>>>
>>> Wilhelmstraße 118, 10963 Berlin
>>>
>>>
>>> Germany
>>>
>>> E: patrick.eif...@sony.com
>>>
>>>
>>>
>>> *From: *David Morávek <d...@apache.org>
>>> *Date: *Wednesday, 29. December 2021 at 09:35
>>> *To: *narasimha <swamy.haj...@gmail.com>
>>> *Cc: *Debraj Manna <subharaj.ma...@gmail.com>, Martijn Visser <
>>> mart...@ververica.com>, V N, Suchithra (Nokia - IN/Bangalore) <
>>> suchithra....@nokia.com>, Chesnay Schepler <ches...@apache.org>, user <
>>> user@flink.apache.org>, Michael Guterl <gute...@justin.tv>, Richard
>>> Deurwaarder <rich...@xeli.eu>, Parag Somani <somanipa...@gmail.com>
>>> *Subject: *Re: CVE-2021-44228 - Log4j2 vulnerability
>>>
>>> Please follow the above mentioned ML thread for more details. Please
>>> note that this is a REGULAR release that is not motivated by the log4j CVE,
>>> so the stability of the release is the more important factor then having it
>>> out as soon as possible.
>>>
>>>
>>>
>>> D.
>>>
>>>
>>>
>>> On Mon, Dec 27, 2021 at 6:33 AM narasimha <swamy.haj...@gmail.com>
>>> wrote:
>>>
>>> Hi folks,
>>>
>>>
>>>
>>> When can we expect the release to be made available to the community?
>>>
>>>
>>>
>>> On Wed, Dec 22, 2021 at 3:07 PM David Morávek <d...@apache.org> wrote:
>>>
>>> Hi Debraj,
>>>
>>>
>>>
>>> we're currently not planning another emergency release as this CVE is
>>> not as critical for Flink users as the previous one. However, this patch
>>> will be included in all upcoming patch & minor releases. The patch release
>>> for the 1.14.x branch is already in progress [1] (it may be bit delayed due
>>> to the holiday season).
>>>
>>>
>>>
>>> [1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk
>>> <https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$>
>>>
>>>
>>>
>>> Best,
>>>
>>> D.
>>>
>>>
>>>
>>> On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <subharaj.ma...@gmail.com>
>>> wrote:
>>>
>>> Any idea when can we expect
>>> https://issues.apache.org/jira/browse/FLINK-25375
>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
>>> to be released?
>>>
>>>
>>>
>>> On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <mart...@ververica.com>
>>> wrote:
>>>
>>> Hi,
>>>
>>>
>>>
>>> The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked
>>> at https://issues.apache.org/jira/browse/FLINK-25375
>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
>>> .
>>>
>>>
>>>
>>> Best regards,
>>>
>>>
>>>
>>> Martijn
>>>
>>>
>>>
>>> On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) <
>>> suchithra....@nokia.com> wrote:
>>>
>>> Hi,
>>>
>>>
>>>
>>> It seems there is high severity vulnerability in log4j 2.16.0.(
>>> CVE-2021-45105
>>> <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$>
>>> )
>>>
>>> Refer : https://logging.apache.org/log4j/2.x/security.html
>>> <https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$>
>>>
>>> Any update on this please?
>>>
>>>
>>>
>>> Regards,
>>>
>>> Suchithra
>>>
>>>
>>>
>>> *From:* Chesnay Schepler <ches...@apache.org>
>>> *Sent:* Thursday, December 16, 2021 4:35 PM
>>> *To:* Parag Somani <somanipa...@gmail.com>
>>> *Cc:* Michael Guterl <gute...@justin.tv>; V N, Suchithra (Nokia -
>>> IN/Bangalore) <suchithra....@nokia.com>; Richard Deurwaarder <
>>> rich...@xeli.eu>; user <user@flink.apache.org>
>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>
>>>
>>>
>>> We will announce the releases when the binaries are available.
>>>
>>>
>>>
>>> On 16/12/2021 05:37, Parag Somani wrote:
>>>
>>> Thank you Chesnay for expediting this fix...!
>>>
>>>
>>>
>>> Can you suggest, when can I get binaries for 1.14.2 flink version?
>>>
>>>
>>>
>>> On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ches...@apache.org>
>>> wrote:
>>>
>>> We will push docker images for all new releases, yes.
>>>
>>>
>>>
>>> On 16/12/2021 01:16, Michael Guterl wrote:
>>>
>>> Will you all be pushing Docker images for the 1.11.6 release?
>>>
>>>
>>>
>>> On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ches...@apache.org>
>>> wrote:
>>>
>>> The current ETA is 40h for an official announcement.
>>>
>>> We are validating the release today (concludes in 16h), publish it
>>> tonight, then wait for mirrors to be sync (about a day), then we announce
>>> it.
>>>
>>>
>>>
>>> On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
>>>
>>> Hello,
>>>
>>>
>>>
>>> Could you please tell when we can expect Flink 1.12.7 release? We are
>>> waiting for the CVE fix.
>>>
>>>
>>>
>>> Regards,
>>>
>>> Suchithra
>>>
>>>
>>>
>>>
>>>
>>> *From:* Chesnay Schepler <ches...@apache.org> <ches...@apache.org>
>>> *Sent:* Wednesday, December 15, 2021 4:04 PM
>>> *To:* Richard Deurwaarder <rich...@xeli.eu> <rich...@xeli.eu>
>>> *Cc:* user <user@flink.apache.org> <user@flink.apache.org>
>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>
>>>
>>>
>>> We will also update the docker images.
>>>
>>>
>>>
>>> On 15/12/2021 11:29, Richard Deurwaarder wrote:
>>>
>>> Thanks for picking this up quickly!
>>>
>>>
>>>
>>> I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which
>>> is perfect.
>>>
>>>
>>>
>>> Just to clarify: Will you also push new docker images for these releases
>>> as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :()
>>>
>>>
>>>
>>> On Tue, Dec 14, 2021 at 2:33 AM narasimha <swamy.haj...@gmail.com>
>>> wrote:
>>>
>>> Thanks TImo, that was helpful.
>>>
>>>
>>>
>>> On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <
>>> prasannakumarram...@gmail.com> wrote:
>>>
>>> Chesnay Thank you for the clarification.
>>>
>>>
>>>
>>> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ches...@apache.org>
>>> wrote:
>>>
>>> The flink-shaded-zookeeper jars do not contain log4j.
>>>
>>>
>>>
>>> On 13/12/2021 14:11, Prasanna kumar wrote:
>>>
>>> Does Zookeeper have this vulnerability dependency ? I see references to
>>> log4j in Shaded Zookeeper jar included as part of the flink distribution.
>>>
>>>
>>>
>>> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org> wrote:
>>>
>>> While we are working to upgrade the affected dependencies of all
>>> components, we recommend users follow the advisory of the Apache Log4j
>>> Community. Also Ververica platform can be patched with a similar
>>> approach:
>>>
>>> To configure the JVMs used by Ververica Platform, you can pass custom
>>> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
>>> following to your platform values.yaml, or append to the existing value
>>> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
>>> the platform with Helm:
>>> env:
>>>    - name: JAVA_TOOL_OPTIONS
>>>      value: -Dlog4j2.formatMsgNoLookups=true
>>>
>>>
>>> For any questions, please contact us via our support portal.
>>>
>>> Regards,
>>> Timo
>>>
>>> On 11.12.21 06:45, narasimha wrote:
>>> > Folks, what about the veverica platform. Is there any
>>> mitigation around it?
>>> >
>>> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ches...@apache.org
>>> > <mailto:ches...@apache.org>> wrote:
>>> >
>>> >     I would recommend to modify your log4j configurations to set
>>> >     log4j2.formatMsgNoLookups to true/./
>>> >     /
>>> >     /
>>> >     As far as I can tell this is equivalent to upgrading log4j, which
>>> >     just disabled this lookup by default.
>>> >     /
>>> >     /
>>> >     On 10/12/2021 10:21, Richard Deurwaarder wrote:
>>> >>     Hello,
>>> >>
>>> >>     There has been a log4j2 vulnerability made public
>>> >>     https://www.randori.com/blog/cve-2021-44228/
>>> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>
>>> >>     <https://www.randori.com/blog/cve-2021-44228/
>>> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>>
>>> which is making
>>> >>     some waves :)
>>> >>     This post even explicitly mentions Apache Flink:
>>> >>
>>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>>> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
>>> >>     <
>>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>>> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
>>> >
>>> >>
>>> >>     And fortunately, I saw this was already on your radar:
>>> >>     https://issues.apache.org/jira/browse/FLINK-25240
>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
>>> >>     <https://issues.apache.org/jira/browse/FLINK-25240
>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
>>> >
>>> >>
>>> >>     What would the advice be for flink users? Do you expect to push a
>>> >>     minor to fix this? Or is it advisable to upgrade to the latest
>>> >>     log4j2 version manually for now?
>>> >>
>>> >>     Thanks for any advice!
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > A.Narasimha Swamy
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> A.Narasimha Swamy
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Regards,
>>> Parag Surajmal Somani.
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> A.Narasimha Swamy
>>>
>>>
>
> ------------------------------
> IMPORTANT NOTICE: This e-mail, including any attachments, may contain
> confidential information and is intended only for the addressee(s) named
> above. If you are not the intended recipient(s), you should not
> disseminate, distribute, or copy this e-mail. Please notify the sender by
> reply e-mail immediately if you have received this e-mail in error and
> permanently delete all copies of the original message from your system.
> E-mail transmission cannot be guaranteed to be secure as it could be
> intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
> contain viruses. Company accepts no liability for any damage or loss of
> confidential information caused by this email or due to any virus
> transmitted by this email or otherwise.

Reply via email to