Thank you for managing these updates Chesnay!
On Tue, Dec 14, 2021 at 3:51 PM Chesnay Schepler <ches...@apache.org> wrote: > Since the maven artifacts have already been published we will use the > next patch version for each release, i.e.: > 1.11.6 > 1.12.7 > 1.13.5 > 1.14.2 > > (We could technically just update the source/binaries, but that seems > fishy). > > On 14/12/2021 22:38, Chesnay Schepler wrote: > > I'm canceling the release because the issue was not fully fixed in > > Log4j 2.15.0; see CVE-2021-45046. > > > > I will start preparing new release candidates that use Log4j 2.16.0 . > > > > On 14/12/2021 21:28, Chesnay Schepler wrote: > >> The vote duration has passed and we have approved the releases. > >> > >> Binding votes: > >> * Stephan > >> * Till > >> * Xintong > >> * Zhu > >> * Gordon > >> > >> I will not finalize the release. > >> > >> On 13/12/2021 20:28, Chesnay Schepler wrote: > >>> Hi everyone, > >>> > >>> This vote is for the emergency patch releases for 1.11, 1.12, 1.13 > >>> and 1.14 to address CVE-2021-44228. > >>> It covers all 4 releases as they contain the same changes (upgrading > >>> Log4j to 2.15.0) and were prepared simultaneously by the same person. > >>> (Hence, if something is broken, it likely applies to all releases) > >>> > >>> Please review and vote on the release candidate #1 for the versions > >>> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows: > >>> [ ] +1, Approve the releases > >>> [ ] -1, Do not approve the releases (please provide specific comments) > >>> > >>> The complete staging area is available for your review, which includes: > >>> * JIRA release notes [1], > >>> * the official Apache source releases and binary convenience > >>> releases to be deployed to dist.apache.org [2], which are signed > >>> with the key with fingerprint C2EED7B111D464BA [3], > >>> * all artifacts to be deployed to the Maven Central Repository [4], > >>> * *the jars for 1.13/1.14 are still being built* > >>> * source code tags [5], > >>> * website pull request listing the new releases and adding > >>> announcement blog post [6]. > >>> > >>> The vote will be open for at least 24 hours. The minimum vote time > >>> has been shortened as the changes are minimal and the matter is urgent. > >>> It is adopted by majority approval, with at least 3 PMC affirmative > >>> votes. > >>> > >>> Thanks, > >>> Chesnay > >>> > >>> [1] > >>> 1.11: > >>> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327 > >>> 1.12: > >>> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328 > >>> 1.13: > >>> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686 > >>> 1.14: > >>> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512 > >>> [2] > >>> 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/ > >>> 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/ > >>> 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/ > >>> 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/ > >>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS > >>> [4] > >>> 1.11/1.12: > >>> https://repository.apache.org/content/repositories/orgapacheflink-1455 > >>> 1.13: > >>> https://repository.apache.org/content/repositories/orgapacheflink-1457 > >>> 1.14: > >>> https://repository.apache.org/content/repositories/orgapacheflink-1456 > >>> [5] > >>> 1.11: https://github.com/apache/flink/releases/tag/release-1.11.5-rc1 > >>> 1.12: https://github.com/apache/flink/releases/tag/release-1.12.6-rc1 > >>> 1.13: https://github.com/apache/flink/releases/tag/release-1.13.4-rc1 > >>> 1.14: https://github.com/apache/flink/releases/tag/release-1.14.1-rc1 > >>> [6] https://github.com/apache/flink-web/pull/489 > >>> > >> > > > >