We just push new images with the same tags.

On 01/11/2022 14:35, Matthias Pohl wrote:
The Docker image for Flink 1.12.7 uses an older base image which comes with openssl 1.1.1k. There was a previous post in the OpenSSL mailing list reporting a low vulnerability being fixed with 3.0.6 and 1.1.1r (both versions being explicitly mentioned) [1]. Therefore, I understand the post in a way that only 3.0.x would be affected and, as a consequence, Docker images below 1.13- would be fine.

I verified Mason's finding that only 1.14+ Docker images are affected. No entire release is necessary as far as I understand. Theoretically, we would only have to push newer Docker images to the registry. I'm not sure what the right approach is when it comes to versioning. I'm curious about Chesnay's opinion on that one (CC'd).

[1] https://mta.openssl.org/pipermail/openssl-announce/2022-October/000233.html

On Tue, Nov 1, 2022 at 7:06 AM Prasanna kumar <prasannakumarram...@gmail.com> wrote:

    Could we also get an emergency patch to 1.12 version as well ,
    because upgrading flink to a newer version on production in a
    short time would be high in effort and longer in duration as well .

    Thanks,
    Prasanna

    On Tue, Nov 1, 2022 at 11:30 AM Prasanna kumar
    <prasannakumarram...@gmail.com> wrote:

        If flink version 1.12 also affected ?

        Thanks,
        Prasanna.

        On Tue, Nov 1, 2022 at 10:40 AM Mason Chen
        <mas.chen6...@gmail.com> wrote:

            Hi Tamir and Martjin,

            We have also noticed this internally. So far, we have
            found that the *latest* Flink Java 11/Scala 2.12 docker
            images *1.14, 1.15, and 1.16* are affected, which all have
            the *openssl 3.0.2 *dependency. It would be good to
            discuss an emergency release when this patch comes out
            tomorrow, as it is the highest priority level from their
            severity rating.

            Best,
            Mason

            On Mon, Oct 31, 2022 at 1:10 PM Martijn Visser
            <martijnvis...@apache.org> wrote:

                Hi Tamir,

                That depends on a) if Flink is vulnerable and b) if
                yes, how vulnerable that would be.

                Best regards,

                Martijn

                Op ma 31 okt. 2022 om 19:22 schreef Tamir Sagi
                <tamir.s...@niceactimize.com>

                    Hey all,

                    Following that link
                    
https://eu01.z.antigena.com/l/CjXA7qEmnn79gc24BA2Hb6K2OVR-yGlLfMyp4smo5aXj5Z6WC0dSiHCRPqjSz972DkRNssUoTbxKmp5Pi3IaaVB983yfLJ9MUZY9LYtnBMEKJP5DcQqmhR3SktltkbVG8b7nSRa84kWSnwNJFuXFLA2GrMLTVG7mXdy59-ykolsAWAVAJSDgRdWCv6xN0iczvQ


                    due to critical vulnerability , there will be an
                    important release of OpenSSl v3.0.7 tomorrow
                    November 1st.

                    Is there any plan to update Flink with the newest
                    version?

                    Thanks.
                    Tamir


                    Confidentiality: This communication and any
                    attachments are intended for the above-named
                    persons only and may be confidential and/or
                    legally privileged. Any opinions expressed in this
                    communication are not necessarily those of NICE
                    Actimize. If this communication has come to you in
                    error you must take no action based on it, nor
                    must you copy or show it to anyone; please
                    delete/destroy and inform the sender by e-mail
                    immediately.
                    Monitoring: NICE Actimize may monitor incoming and
                    outgoing e-mails.
                    Viruses: Although we have taken steps toward
                    ensuring that this e-mail and attachments are free
                    from any virus, we advise that in keeping with
                    good computing practice the recipient should
                    ensure they are actually virus free.

-- Martijn
                https://twitter.com/MartijnVisser82
                <https://twitter.com/MartijnVisser82>
                https://github.com/MartijnVisser
                <https://github.com/MartijnVisser>

Reply via email to