We just push new images with the same tags.
On 01/11/2022 14:35, Matthias Pohl wrote:
The Docker image for Flink 1.12.7 uses an older base image which comes
with openssl 1.1.1k. There was a previous post in the OpenSSL mailing
list reporting a low vulnerability being fixed with 3.0.6 and 1.1.1r
(both versions being explicitly mentioned) [1]. Therefore, I
understand the post in a way that only 3.0.x would be affected and, as
a consequence, Docker images below 1.13- would be fine.
I verified Mason's finding that only 1.14+ Docker images are affected.
No entire release is necessary as far as I understand. Theoretically,
we would only have to push newer Docker images to the registry. I'm
not sure what the right approach is when it comes to versioning. I'm
curious about Chesnay's opinion on that one (CC'd).
[1]
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000233.html
On Tue, Nov 1, 2022 at 7:06 AM Prasanna kumar
<prasannakumarram...@gmail.com> wrote:
Could we also get an emergency patch to 1.12 version as well ,
because upgrading flink to a newer version on production in a
short time would be high in effort and longer in duration as well .
Thanks,
Prasanna
On Tue, Nov 1, 2022 at 11:30 AM Prasanna kumar
<prasannakumarram...@gmail.com> wrote:
If flink version 1.12 also affected ?
Thanks,
Prasanna.
On Tue, Nov 1, 2022 at 10:40 AM Mason Chen
<mas.chen6...@gmail.com> wrote:
Hi Tamir and Martjin,
We have also noticed this internally. So far, we have
found that the *latest* Flink Java 11/Scala 2.12 docker
images *1.14, 1.15, and 1.16* are affected, which all have
the *openssl 3.0.2 *dependency. It would be good to
discuss an emergency release when this patch comes out
tomorrow, as it is the highest priority level from their
severity rating.
Best,
Mason
On Mon, Oct 31, 2022 at 1:10 PM Martijn Visser
<martijnvis...@apache.org> wrote:
Hi Tamir,
That depends on a) if Flink is vulnerable and b) if
yes, how vulnerable that would be.
Best regards,
Martijn
Op ma 31 okt. 2022 om 19:22 schreef Tamir Sagi
<tamir.s...@niceactimize.com>
Hey all,
Following that link
https://eu01.z.antigena.com/l/CjXA7qEmnn79gc24BA2Hb6K2OVR-yGlLfMyp4smo5aXj5Z6WC0dSiHCRPqjSz972DkRNssUoTbxKmp5Pi3IaaVB983yfLJ9MUZY9LYtnBMEKJP5DcQqmhR3SktltkbVG8b7nSRa84kWSnwNJFuXFLA2GrMLTVG7mXdy59-ykolsAWAVAJSDgRdWCv6xN0iczvQ
due to critical vulnerability , there will be an
important release of OpenSSl v3.0.7 tomorrow
November 1st.
Is there any plan to update Flink with the newest
version?
Thanks.
Tamir
Confidentiality: This communication and any
attachments are intended for the above-named
persons only and may be confidential and/or
legally privileged. Any opinions expressed in this
communication are not necessarily those of NICE
Actimize. If this communication has come to you in
error you must take no action based on it, nor
must you copy or show it to anyone; please
delete/destroy and inform the sender by e-mail
immediately.
Monitoring: NICE Actimize may monitor incoming and
outgoing e-mails.
Viruses: Although we have taken steps toward
ensuring that this e-mail and attachments are free
from any virus, we advise that in keeping with
good computing practice the recipient should
ensure they are actually virus free.
--
Martijn
https://twitter.com/MartijnVisser82
<https://twitter.com/MartijnVisser82>
https://github.com/MartijnVisser
<https://github.com/MartijnVisser>
