+ 1 (non-binding)
* Select several files of each release to verify the signature and sha512sum. * Reviewed the flink-web PR * checked that those 4 release-branchs only contains fix to bump log4j2 version to 2.15.0 and then to 2.16.0 * Checked the JIRA release notes and found that FLINK-25317 [1] was tagged as 1.14.2 version to resolve by mistake. [1] https://issues.apache.org/jira/browse/FLINK-25317 Best Yun Tang ________________________________ From: Chesnay Schepler <ches...@apache.org> Sent: Wednesday, December 15, 2021 10:55 To: dev@flink.apache.org <dev@flink.apache.org> Subject: [VOTE] Release 1.11.6/1.12.7/1.13.5/1.14.2, release candidate #1 Hi everyone, This vote is for the emergency patch releases for 1.11, 1.12, 1.13 and 1.14 to address CVE-2021-44228/CVE-2021-45046. It covers all 4 releases as they contain the same changes (upgrading Log4j to 2.16.0) and were prepared simultaneously by the same person. (Hence, if something is broken, it likely applies to all releases) Note: 1.11/1.12 are still missing the Python Mac releases. Please review and vote on the release candidate #1 for the versions 1.11.6, 1.12.7, 1.13.5 and 1.14.2, as follows: [ ] +1, Approve the releases [ ] -1, Do not approve the releases (please provide specific comments) The complete staging area is available for your review, which includes: * JIRA release notes [1], * the official Apache source releases and binary convenience releases to be deployed to dist.apache.org [2], which are signed with the key with fingerprint C2EED7B111D464BA [3], * all artifacts to be deployed to the Maven Central Repository [4], * source code tags [5], * website pull request listing the new releases and adding announcement blog post [6]. The vote will be open for at least 24 hours. The minimum vote time has been shortened as the changes are minimal and the matter is urgent. It is adopted by majority approval, with at least 3 PMC affirmative votes. Thanks, Chesnay [1] 1.11: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351056 1.12: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351057 1.13: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351058 1.14: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12351059 [2] 1.11: https://dist.apache.org/repos/dist/dev/flink/flink-1.11.6-rc1/ 1.12: https://dist.apache.org/repos/dist/dev/flink/flink-1.12.7-rc1/ 1.13: https://dist.apache.org/repos/dist/dev/flink/flink-1.13.5-rc1/ 1.14: https://dist.apache.org/repos/dist/dev/flink/flink-1.14.2-rc1/ [3] https://dist.apache.org/repos/dist/release/flink/KEYS [4] 1.11: https://repository.apache.org/content/repositories/orgapacheflink-1460 1.12: https://repository.apache.org/content/repositories/orgapacheflink-1462 1.13: https://repository.apache.org/content/repositories/orgapacheflink-1459 1.14: https://repository.apache.org/content/repositories/orgapacheflink-1461 [5] 1.11: https://github.com/apache/flink/releases/tag/release-1.11.6-rc1 1.12: https://github.com/apache/flink/releases/tag/release-1.12.7-rc1 1.13: https://github.com/apache/flink/releases/tag/release-1.13.5-rc1 1.14: https://github.com/apache/flink/releases/tag/release-1.14.2-rc1 [6] https://github.com/apache/flink-web/pull/489
