Hi all, Looking at the blog with details https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows it's shown that vulnerability has been downgraded to High. I don't think that warrants an emergency re-release of the images.
Best regards, Martijn Op di 1 nov. 2022 om 15:06 schreef Chesnay Schepler <ches...@apache.org> > We just push new images with the same tags. > > On 01/11/2022 14:35, Matthias Pohl wrote: > > The Docker image for Flink 1.12.7 uses an older base image which comes > with openssl 1.1.1k. There was a previous post in the OpenSSL mailing list > reporting a low vulnerability being fixed with 3.0.6 and 1.1.1r (both > versions being explicitly mentioned) [1]. Therefore, I understand the post > in a way that only 3.0.x would be affected and, as a consequence, Docker > images below 1.13- would be fine. > > I verified Mason's finding that only 1.14+ Docker images are affected. No > entire release is necessary as far as I understand. Theoretically, we would > only have to push newer Docker images to the registry. I'm not sure what > the right approach is when it comes to versioning. I'm curious about > Chesnay's opinion on that one (CC'd). > > [1] > https://mta.openssl.org/pipermail/openssl-announce/2022-October/000233.html > > On Tue, Nov 1, 2022 at 7:06 AM Prasanna kumar < > prasannakumarram...@gmail.com> wrote: > >> Could we also get an emergency patch to 1.12 version as well , because >> upgrading flink to a newer version on production in a short time would be >> high in effort and longer in duration as well . >> >> Thanks, >> Prasanna >> >> On Tue, Nov 1, 2022 at 11:30 AM Prasanna kumar < >> prasannakumarram...@gmail.com> wrote: >> >>> If flink version 1.12 also affected ? >>> >>> Thanks, >>> Prasanna. >>> >>> On Tue, Nov 1, 2022 at 10:40 AM Mason Chen <mas.chen6...@gmail.com> >>> wrote: >>> >>>> Hi Tamir and Martjin, >>>> >>>> We have also noticed this internally. So far, we have found that the >>>> *latest* Flink Java 11/Scala 2.12 docker images *1.14, 1.15, and 1.16* >>>> are affected, which all have the *openssl 3.0.2 *dependency. It would >>>> be good to discuss an emergency release when this patch comes out >>>> tomorrow, as it is the highest priority level from their severity rating. >>>> >>>> Best, >>>> Mason >>>> >>>> On Mon, Oct 31, 2022 at 1:10 PM Martijn Visser < >>>> martijnvis...@apache.org> wrote: >>>> >>>>> Hi Tamir, >>>>> >>>>> That depends on a) if Flink is vulnerable and b) if yes, how >>>>> vulnerable that would be. >>>>> >>>>> Best regards, >>>>> >>>>> Martijn >>>>> >>>>> Op ma 31 okt. 2022 om 19:22 schreef Tamir Sagi < >>>>> tamir.s...@niceactimize.com> >>>>> >>>>>> Hey all, >>>>>> >>>>>> Following that link >>>>>> https://eu01.z.antigena.com/l/CjXA7qEmnn79gc24BA2Hb6K2OVR-yGlLfMyp4smo5aXj5Z6WC0dSiHCRPqjSz972DkRNssUoTbxKmp5Pi3IaaVB983yfLJ9MUZY9LYtnBMEKJP5DcQqmhR3SktltkbVG8b7nSRa84kWSnwNJFuXFLA2GrMLTVG7mXdy59-ykolsAWAVAJSDgRdWCv6xN0iczvQ >>>>>> >>>>>> >>>>>> due to critical vulnerability , there will be an important release >>>>>> of OpenSSl v3.0.7 tomorrow November 1st. >>>>>> >>>>>> Is there any plan to update Flink with the newest version? >>>>>> >>>>>> Thanks. >>>>>> Tamir >>>>>> >>>>>> >>>>>> Confidentiality: This communication and any attachments are intended >>>>>> for the above-named persons only and may be confidential and/or legally >>>>>> privileged. Any opinions expressed in this communication are not >>>>>> necessarily those of NICE Actimize. If this communication has come to you >>>>>> in error you must take no action based on it, nor must you copy or show >>>>>> it >>>>>> to anyone; please delete/destroy and inform the sender by e-mail >>>>>> immediately. >>>>>> Monitoring: NICE Actimize may monitor incoming and outgoing e-mails. >>>>>> Viruses: Although we have taken steps toward ensuring that this >>>>>> e-mail and attachments are free from any virus, we advise that in keeping >>>>>> with good computing practice the recipient should ensure they are >>>>>> actually >>>>>> virus free. >>>>>> >>>>> -- >>>>> Martijn >>>>> https://twitter.com/MartijnVisser82 >>>>> https://github.com/MartijnVisser >>>>> >>>> >
