That's right, they are referenced in POMs published with the jars, though. But that's minor.
On Wed, Dec 15, 2021 at 12:28 PM Chesnay Schepler <ches...@apache.org> wrote: > AFAIK none of the jars we publish actually contains log4j. > It's only bundled by the distribution/python binaries/docker images. > > Hence I don't think the jars help in this case. > > On 15/12/2021 10:42, Stephan Ewen wrote: > > Given that these artifacts are published already, users can use them if > > they want to update now: > > > > For example: > > https://search.maven.org/artifact/org.apache.flink/flink-core/1.14.1/jar > > > > Just for the users that really want to update now (rather than rely on > the > > mitigation via config) and are not as much concerned about the remaining > > weakness in log4j 2.15.0 > > > > On Tue, Dec 14, 2021 at 11:18 PM Seth Wiesman <sjwies...@gmail.com> > wrote: > > > >> Thank you for managing these updates Chesnay! > >> > >> > >> > >> On Tue, Dec 14, 2021 at 3:51 PM Chesnay Schepler <ches...@apache.org> > >> wrote: > >> > >>> Since the maven artifacts have already been published we will use the > >>> next patch version for each release, i.e.: > >>> 1.11.6 > >>> 1.12.7 > >>> 1.13.5 > >>> 1.14.2 > >>> > >>> (We could technically just update the source/binaries, but that seems > >>> fishy). > >>> > >>> On 14/12/2021 22:38, Chesnay Schepler wrote: > >>>> I'm canceling the release because the issue was not fully fixed in > >>>> Log4j 2.15.0; see CVE-2021-45046. > >>>> > >>>> I will start preparing new release candidates that use Log4j 2.16.0 . > >>>> > >>>> On 14/12/2021 21:28, Chesnay Schepler wrote: > >>>>> The vote duration has passed and we have approved the releases. > >>>>> > >>>>> Binding votes: > >>>>> * Stephan > >>>>> * Till > >>>>> * Xintong > >>>>> * Zhu > >>>>> * Gordon > >>>>> > >>>>> I will not finalize the release. > >>>>> > >>>>> On 13/12/2021 20:28, Chesnay Schepler wrote: > >>>>>> Hi everyone, > >>>>>> > >>>>>> This vote is for the emergency patch releases for 1.11, 1.12, 1.13 > >>>>>> and 1.14 to address CVE-2021-44228. > >>>>>> It covers all 4 releases as they contain the same changes (upgrading > >>>>>> Log4j to 2.15.0) and were prepared simultaneously by the same > person. > >>>>>> (Hence, if something is broken, it likely applies to all releases) > >>>>>> > >>>>>> Please review and vote on the release candidate #1 for the versions > >>>>>> 1.11.5, 1.12.6, 1.13.4 and 1.14.1, as follows: > >>>>>> [ ] +1, Approve the releases > >>>>>> [ ] -1, Do not approve the releases (please provide specific > >> comments) > >>>>>> The complete staging area is available for your review, which > >> includes: > >>>>>> * JIRA release notes [1], > >>>>>> * the official Apache source releases and binary convenience > >>>>>> releases to be deployed to dist.apache.org [2], which are signed > >>>>>> with the key with fingerprint C2EED7B111D464BA [3], > >>>>>> * all artifacts to be deployed to the Maven Central Repository [4], > >>>>>> * *the jars for 1.13/1.14 are still being built* > >>>>>> * source code tags [5], > >>>>>> * website pull request listing the new releases and adding > >>>>>> announcement blog post [6]. > >>>>>> > >>>>>> The vote will be open for at least 24 hours. The minimum vote time > >>>>>> has been shortened as the changes are minimal and the matter is > >> urgent. > >>>>>> It is adopted by majority approval, with at least 3 PMC affirmative > >>>>>> votes. > >>>>>> > >>>>>> Thanks, > >>>>>> Chesnay > >>>>>> > >>>>>> [1] > >>>>>> 1.11: > >>>>>> > >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350327 > >>>>>> 1.12: > >>>>>> > >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350328 > >>>>>> 1.13: > >>>>>> > >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350686 > >>>>>> 1.14: > >>>>>> > >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522&version=12350512 > >>>>>> [2] > >>>>>> 1.11: > https://dist.apache.org/repos/dist/dev/flink/flink-1.11.5-rc1/ > >>>>>> 1.12: > https://dist.apache.org/repos/dist/dev/flink/flink-1.12.6-rc1/ > >>>>>> 1.13: > https://dist.apache.org/repos/dist/dev/flink/flink-1.13.4-rc1/ > >>>>>> 1.14: > https://dist.apache.org/repos/dist/dev/flink/flink-1.14.1-rc1/ > >>>>>> [3] https://dist.apache.org/repos/dist/release/flink/KEYS > >>>>>> [4] > >>>>>> 1.11/1.12: > >>>>>> > >> https://repository.apache.org/content/repositories/orgapacheflink-1455 > >>>>>> 1.13: > >>>>>> > >> https://repository.apache.org/content/repositories/orgapacheflink-1457 > >>>>>> 1.14: > >>>>>> > >> https://repository.apache.org/content/repositories/orgapacheflink-1456 > >>>>>> [5] > >>>>>> 1.11: > >> https://github.com/apache/flink/releases/tag/release-1.11.5-rc1 > >>>>>> 1.12: > >> https://github.com/apache/flink/releases/tag/release-1.12.6-rc1 > >>>>>> 1.13: > >> https://github.com/apache/flink/releases/tag/release-1.13.4-rc1 > >>>>>> 1.14: > >> https://github.com/apache/flink/releases/tag/release-1.14.1-rc1 > >>>>>> [6] https://github.com/apache/flink-web/pull/489 > >>>>>> > >>> > >