I saw the update from them as well, so +1, the downgrade in severity makes it less urgent for us now and I’m fine with waiting for the next regular Flink docker release. We would need to wait for the upstream image provider to patch it as well. Thanks!
Best, Mason On Tue, Nov 1, 2022 at 9:18 AM Martijn Visser <martijnvis...@apache.org> wrote: > Hi all, > > Looking at the blog with details > https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows it's > shown that vulnerability has been downgraded to High. I don't think that > warrants an emergency re-release of the images. > > Best regards, > > Martijn > > Op di 1 nov. 2022 om 15:06 schreef Chesnay Schepler <ches...@apache.org> > >> We just push new images with the same tags. >> >> On 01/11/2022 14:35, Matthias Pohl wrote: >> >> The Docker image for Flink 1.12.7 uses an older base image which comes >> with openssl 1.1.1k. There was a previous post in the OpenSSL mailing list >> reporting a low vulnerability being fixed with 3.0.6 and 1.1.1r (both >> versions being explicitly mentioned) [1]. Therefore, I understand the post >> in a way that only 3.0.x would be affected and, as a consequence, Docker >> images below 1.13- would be fine. >> >> I verified Mason's finding that only 1.14+ Docker images are affected. No >> entire release is necessary as far as I understand. Theoretically, we would >> only have to push newer Docker images to the registry. I'm not sure what >> the right approach is when it comes to versioning. I'm curious about >> Chesnay's opinion on that one (CC'd). >> >> [1] >> https://mta.openssl.org/pipermail/openssl-announce/2022-October/000233.html >> >> On Tue, Nov 1, 2022 at 7:06 AM Prasanna kumar < >> prasannakumarram...@gmail.com> wrote: >> >>> Could we also get an emergency patch to 1.12 version as well , because >>> upgrading flink to a newer version on production in a short time would be >>> high in effort and longer in duration as well . >>> >>> Thanks, >>> Prasanna >>> >>> On Tue, Nov 1, 2022 at 11:30 AM Prasanna kumar < >>> prasannakumarram...@gmail.com> wrote: >>> >>>> If flink version 1.12 also affected ? >>>> >>>> Thanks, >>>> Prasanna. >>>> >>>> On Tue, Nov 1, 2022 at 10:40 AM Mason Chen <mas.chen6...@gmail.com> >>>> wrote: >>>> >>>>> Hi Tamir and Martjin, >>>>> >>>>> We have also noticed this internally. So far, we have found that the >>>>> *latest* Flink Java 11/Scala 2.12 docker images *1.14, 1.15, and 1.16* >>>>> are affected, which all have the *openssl 3.0.2 *dependency. It would >>>>> be good to discuss an emergency release when this patch comes out >>>>> tomorrow, as it is the highest priority level from their severity rating. >>>>> >>>>> Best, >>>>> Mason >>>>> >>>>> On Mon, Oct 31, 2022 at 1:10 PM Martijn Visser < >>>>> martijnvis...@apache.org> wrote: >>>>> >>>>>> Hi Tamir, >>>>>> >>>>>> That depends on a) if Flink is vulnerable and b) if yes, how >>>>>> vulnerable that would be. >>>>>> >>>>>> Best regards, >>>>>> >>>>>> Martijn >>>>>> >>>>>> Op ma 31 okt. 2022 om 19:22 schreef Tamir Sagi < >>>>>> tamir.s...@niceactimize.com> >>>>>> >>>>>>> Hey all, >>>>>>> >>>>>>> Following that link >>>>>>> https://eu01.z.antigena.com/l/CjXA7qEmnn79gc24BA2Hb6K2OVR-yGlLfMyp4smo5aXj5Z6WC0dSiHCRPqjSz972DkRNssUoTbxKmp5Pi3IaaVB983yfLJ9MUZY9LYtnBMEKJP5DcQqmhR3SktltkbVG8b7nSRa84kWSnwNJFuXFLA2GrMLTVG7mXdy59-ykolsAWAVAJSDgRdWCv6xN0iczvQ >>>>>>> >>>>>>> >>>>>>> due to critical vulnerability , there will be an important release >>>>>>> of OpenSSl v3.0.7 tomorrow November 1st. >>>>>>> >>>>>>> Is there any plan to update Flink with the newest version? >>>>>>> >>>>>>> Thanks. >>>>>>> Tamir >>>>>>> >>>>>>> >>>>>>> Confidentiality: This communication and any attachments are intended >>>>>>> for the above-named persons only and may be confidential and/or legally >>>>>>> privileged. Any opinions expressed in this communication are not >>>>>>> necessarily those of NICE Actimize. If this communication has come to >>>>>>> you >>>>>>> in error you must take no action based on it, nor must you copy or show >>>>>>> it >>>>>>> to anyone; please delete/destroy and inform the sender by e-mail >>>>>>> immediately. >>>>>>> Monitoring: NICE Actimize may monitor incoming and outgoing e-mails. >>>>>>> Viruses: Although we have taken steps toward ensuring that this >>>>>>> e-mail and attachments are free from any virus, we advise that in >>>>>>> keeping >>>>>>> with good computing practice the recipient should ensure they are >>>>>>> actually >>>>>>> virus free. >>>>>>> >>>>>> -- >>>>>> Martijn >>>>>> https://twitter.com/MartijnVisser82 >>>>>> https://github.com/MartijnVisser >>>>>> >>>>> >>
