Hi Guowei, Flink 1.12.7 is already released. Request is for 1.12.8 release with log4j 2.17.1. You meant 1.12.8 here?
Regards, Suchithra -----Original Message----- From: Guowei Ma <[email protected]> Sent: Thursday, January 20, 2022 11:26 AM To: dev <[email protected]> Subject: Re: Request for Flink 1.12.8 release Hi Suchithra I don't think there is a plan to release 1.12.7 for this. But I think you could build it from the source.[1] [1] https://github.com/apache/flink/tree/release-1.12#building-apache-flink-from-source Best, Guowei On Wed, Jan 19, 2022 at 7:11 PM V N, Suchithra (Nokia - IN/Bangalore) < [email protected]> wrote: > Hello, > > We are using Apache Flink 1.12 version. Due to log4j security > vulnerabilities(CVE-2021-44228) we have upgraded to Flink 1.12.7 which > contains the fix for CVE-2021-44228(Critical) and CVE-2021-45046(Critical). > Later two more vulnerabilities are reported CVE-2021-45105(Moderate) > and > CVE-2021-44832(Moderate) which is fixed with Apache log4j 2.17.1 and > we were expecting patch release(Flink 1.12.8) with it. > > As per the community, it supports current and previous minor versions > (1.13, 1.14) with bug fixes. > > Flink community officially only supports current and previous minor > versions [1] (1.13, 1.14) with bug fixes. Personally I wouldn't expect > there will be another patch release for 1.12. > > If you really need an extra release for the unsupported version, the > most straightforward approach would be manually building the Flink > distribution from sources [2] with the patches you need. > > [1] > https://flink.apache.org/downloads.html#update-policy-for-old-releases > [2] > > https://github.com/apache/flink/tree/release-1.12#building-apache-flin > k-from-source > > Apache Flink 1.12.7 release with critical fix was really helpful. As > per the below ticket log4j 2.17.1 code changes are committed. > https://issues.apache.org/jira/browse/FLINK-25472 > Since these are security fixes It will be helpful if Flink 1.12.8 will > be released. Could you please let us know if it is possible to plan > this release? > > Regards, > Suchithra > > > > >
