Hello, We are using Apache Flink 1.12 version. Due to log4j security vulnerabilities(CVE-2021-44228) we have upgraded to Flink 1.12.7 which contains the fix for CVE-2021-44228(Critical) and CVE-2021-45046(Critical). Later two more vulnerabilities are reported CVE-2021-45105(Moderate) and CVE-2021-44832(Moderate) which is fixed with Apache log4j 2.17.1 and we were expecting patch release(Flink 1.12.8) with it.
As per the community, it supports current and previous minor versions (1.13, 1.14) with bug fixes. Flink community officially only supports current and previous minor versions [1] (1.13, 1.14) with bug fixes. Personally I wouldn't expect there will be another patch release for 1.12. If you really need an extra release for the unsupported version, the most straightforward approach would be manually building the Flink distribution from sources [2] with the patches you need. [1] https://flink.apache.org/downloads.html#update-policy-for-old-releases [2] https://github.com/apache/flink/tree/release-1.12#building-apache-flink-from-source Apache Flink 1.12.7 release with critical fix was really helpful. As per the below ticket log4j 2.17.1 code changes are committed. https://issues.apache.org/jira/browse/FLINK-25472 Since these are security fixes It will be helpful if Flink 1.12.8 will be released. Could you please let us know if it is possible to plan this release? Regards, Suchithra
