Hi Suchithra I don't think there is a plan to release 1.12.7 for this. But I think you could build it from the source.[1]
[1] https://github.com/apache/flink/tree/release-1.12#building-apache-flink-from-source Best, Guowei On Wed, Jan 19, 2022 at 7:11 PM V N, Suchithra (Nokia - IN/Bangalore) < [email protected]> wrote: > Hello, > > We are using Apache Flink 1.12 version. Due to log4j security > vulnerabilities(CVE-2021-44228) we have upgraded to Flink 1.12.7 which > contains the fix for CVE-2021-44228(Critical) and CVE-2021-45046(Critical). > Later two more vulnerabilities are reported CVE-2021-45105(Moderate) and > CVE-2021-44832(Moderate) which is fixed with Apache log4j 2.17.1 and we > were expecting patch release(Flink 1.12.8) with it. > > As per the community, it supports current and previous minor versions > (1.13, 1.14) with bug fixes. > > Flink community officially only supports current and previous minor > versions [1] (1.13, 1.14) with bug fixes. Personally I wouldn't expect > there will be another patch release for 1.12. > > If you really need an extra release for the unsupported version, the most > straightforward approach would be manually building the Flink distribution > from sources [2] with the patches you need. > > [1] https://flink.apache.org/downloads.html#update-policy-for-old-releases > [2] > > https://github.com/apache/flink/tree/release-1.12#building-apache-flink-from-source > > Apache Flink 1.12.7 release with critical fix was really helpful. As per > the below ticket log4j 2.17.1 code changes are committed. > https://issues.apache.org/jira/browse/FLINK-25472 > Since these are security fixes It will be helpful if Flink 1.12.8 will be > released. Could you please let us know if it is possible to plan this > release? > > Regards, > Suchithra > > > > >
