Hi, Yes, that's right. Best, Guowei
On Thu, Jan 20, 2022 at 2:08 PM V N, Suchithra (Nokia - IN/Bangalore) < suchithra....@nokia.com> wrote: > Hi Guowei, > > Flink 1.12.7 is already released. Request is for 1.12.8 release with log4j > 2.17.1. You meant 1.12.8 here? > > Regards, > Suchithra > > -----Original Message----- > From: Guowei Ma <guowei....@gmail.com> > Sent: Thursday, January 20, 2022 11:26 AM > To: dev <dev@flink.apache.org> > Subject: Re: Request for Flink 1.12.8 release > > Hi Suchithra > > I don't think there is a plan to release 1.12.7 for this. But I think you > could build it from the source.[1] > > [1] > > https://github.com/apache/flink/tree/release-1.12#building-apache-flink-from-source > > Best, > Guowei > > > On Wed, Jan 19, 2022 at 7:11 PM V N, Suchithra (Nokia - IN/Bangalore) < > suchithra....@nokia.com> wrote: > > > Hello, > > > > We are using Apache Flink 1.12 version. Due to log4j security > > vulnerabilities(CVE-2021-44228) we have upgraded to Flink 1.12.7 which > > contains the fix for CVE-2021-44228(Critical) and > CVE-2021-45046(Critical). > > Later two more vulnerabilities are reported CVE-2021-45105(Moderate) > > and > > CVE-2021-44832(Moderate) which is fixed with Apache log4j 2.17.1 and > > we were expecting patch release(Flink 1.12.8) with it. > > > > As per the community, it supports current and previous minor versions > > (1.13, 1.14) with bug fixes. > > > > Flink community officially only supports current and previous minor > > versions [1] (1.13, 1.14) with bug fixes. Personally I wouldn't expect > > there will be another patch release for 1.12. > > > > If you really need an extra release for the unsupported version, the > > most straightforward approach would be manually building the Flink > > distribution from sources [2] with the patches you need. > > > > [1] > > https://flink.apache.org/downloads.html#update-policy-for-old-releases > > [2] > > > > https://github.com/apache/flink/tree/release-1.12#building-apache-flin > > k-from-source > > > > Apache Flink 1.12.7 release with critical fix was really helpful. As > > per the below ticket log4j 2.17.1 code changes are committed. > > https://issues.apache.org/jira/browse/FLINK-25472 > > Since these are security fixes It will be helpful if Flink 1.12.8 will > > be released. Could you please let us know if it is possible to plan > > this release? > > > > Regards, > > Suchithra > > > > > > > > > > >
