k 1.14.3 is in preparation and this
>>>>> hasn't started yet for Flink 1.13.6. Flink 1.12.8 release will be
>>>>> planned after this? If there is no current plan, could you please let us
>>>>> know what will be the regular
21-44228 - Log4j2 vulnerability
>>>>
>>>>
>>>>
>>>> Hi Suchithra,
>>>>
>>>>
>>>>
>>>> there is currently no plan on doing another 1.12 release
>>>>
>>>>
>>>&g
t;>>
>>>
>>> *From:* David Morávek
>>> *Sent:* Sunday, January 9, 2022 12:11 AM
>>> *To:* V N, Suchithra (Nokia - IN/Bangalore)
>>> *Cc:* Chesnay Schepler ; Martijn Visser <
>>> mart...@ververica.com>; Michael Guterl ; Parag
>>
* Chesnay Schepler ; Martijn Visser <
>> mart...@ververica.com>; Michael Guterl ; Parag Somani
>> ; patrick.eif...@sony.com; Richard Deurwaarder <
>> rich...@xeli.eu>; User ; subharaj.ma...@gmail.com;
>> swamy.haj...@gmail.com
>> *Subject:* Re: CVE-2021-442
tijn Visser <
> mart...@ververica.com>; Michael Guterl ; Parag Somani <
> somanipa...@gmail.com>; patrick.eif...@sony.com; Richard Deurwaarder <
> rich...@xeli.eu>; User ; subharaj.ma...@gmail.com;
> swamy.haj...@gmail.com
> *Subject:* Re: CVE-2021-44228 - Log4j
: Re: CVE-2021-44228 - Log4j2 vulnerability
Hi Suchithra,
there is currently no plan on doing another 1.12 release
D.
On Sat 8. 1. 2022 at 18:02, V N, Suchithra (Nokia - IN/Bangalore)
mailto:suchithra@nokia.com>> wrote:
Hi,
When can we expect the flink 1.12 releases with log4j 2.17.1?
kia.com>; Chesnay Schepler ; User <
> user@flink.apache.org>; Michael Guterl ; Richard
> Deurwaarder ; Parag Somani
> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>
>
>
> Hi all,
>
>
>
> The ticket for upgrading Log4J to 2.17.0 is
> https://i
Schepler ; User
; Michael Guterl ; Richard
Deurwaarder ; Parag Somani
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
Hi all,
The ticket for upgrading Log4J to 2.17.0 is
https://issues.apache.org/jira/browse/FLINK-25375. There's also the update to
Log4j 2.17.1 which is tracked under
https
gt; mart...@ververica.com>, V N, Suchithra (Nokia - IN/Bangalore) <
> suchithra....@nokia.com>, Chesnay Schepler , user <
> user@flink.apache.org>, Michael Guterl , Richard
> Deurwaarder , Parag Somani
> *Subject: *Re: CVE-2021-44228 - Log4j2 vulnerability
>
> Pl
hard
Deurwaarder , Parag Somani
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
Please follow the above mentioned ML thread for more details. Please note that
this is a REGULAR release that is not motivated by the log4j CVE, so the
stability of the release is the more important factor then ha
; Can you suggest, when can I get binaries for 1.14.2 flink version?
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler
>>>>> wrote:
>>>>>
>>>>> We will push docker images for
;>> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>)
>>>>
>>>> Refer : https://logging.apache.org/log4j/2.x/security.html
>>>>
>>>> Any update on this please?
>>>>
>>>>
>>>>
>>>&g
t;>>
>>> On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler
>>> wrote:
>>>
>>> The current ETA is 40h for an official announcement.
>>>
>>> We are validating the release today (concludes in 16h), publish it
>>> tonight, then wa
gt;
>>
>>
>> *From:* Chesnay Schepler
>> *Sent:* Thursday, December 16, 2021 4:35 PM
>> *To:* Parag Somani
>> *Cc:* Michael Guterl ; V N, Suchithra (Nokia -
>> IN/Bangalore) ; Richard Deurwaarder <
>> rich...@xeli.eu>; user
>> *Subject:* R
,
>
> Suchithra
>
>
>
> *From:* Chesnay Schepler
> *Sent:* Thursday, December 16, 2021 4:35 PM
> *To:* Parag Somani
> *Cc:* Michael Guterl ; V N, Suchithra (Nokia -
> IN/Bangalore) ; Richard Deurwaarder <
> rich...@xeli.eu>; user
> *Subject:* Re: CVE-2021
From: V N, Suchithra (Nokia - IN/Bangalore)
Sent: Saturday, December 18, 2021 9:20 PM
To: Chesnay Schepler ; user
Cc: Michael Guterl ; Richard Deurwaarder ;
Parag Somani
Subject: Suspected SPAM - RE: CVE-2021-44228 - Log4j2 vulnerability
Hi,
It seems there is high severity vulnerability
ursday, December 16, 2021 4:35 PM
To: Parag Somani
Cc: Michael Guterl ; V N, Suchithra (Nokia - IN/Bangalore)
; Richard Deurwaarder ; user
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
We will announce the releases when the binaries are available.
On 16/12/2021 05:37, Parag Somani wrote:
Tha
*Cc:* user
<mailto:user@flink.apache.org>
*Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
We will also update the docker images.
On 15/12/2021 11:29, Richard Deurwaarder wrote:
Thanks for picking this up quickly!
I saw yo
waiting for the CVE fix.
>>
>>
>>
>> Regards,
>>
>> Suchithra
>>
>>
>>
>>
>>
>> *From:* Chesnay Schepler
>> *Sent:* Wednesday, December 15, 2021 4:04 PM
>> *To:* Richard Deurwaarder
>> *Cc:* user
>> *Su
ect:* Re: CVE-2021-44228 - Log4j2 vulnerability
We will also update the docker images.
On 15/12/2021 11:29, Richard Deurwaarder wrote:
Thanks for picking this up quickly!
I saw you've made a second minor upgrade to upgrade to log4j2
2.16 which is perfect.
Suchithra
>
>
>
>
>
> *From:* Chesnay Schepler
> *Sent:* Wednesday, December 15, 2021 4:04 PM
> *To:* Richard Deurwaarder
> *Cc:* user
> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>
>
>
> We will also update the docker images.
>
>
>
> On
both versions within ETA mentioned?
*From:*Chesnay Schepler
*Sent:* Wednesday, December 15, 2021 4:56 PM
*To:* V N, Suchithra (Nokia - IN/Bangalore) ;
Richard Deurwaarder ; user
*Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
The current ETA is 40h for an official announcement.
We
of 1.12.6 only or
we can expect both versions within ETA mentioned?
From: Chesnay Schepler
Sent: Wednesday, December 15, 2021 4:56 PM
To: V N, Suchithra (Nokia - IN/Bangalore) ; Richard
Deurwaarder ; user
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
The current ETA is 40h for an official
tell when we can expect Flink 1.12.7 release? We are
waiting for the CVE fix.
Regards,
Suchithra
*From:*Chesnay Schepler
*Sent:* Wednesday, December 15, 2021 4:04 PM
*To:* Richard Deurwaarder
*Cc:* user
*Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
We will also update the docker images
Hello,
Could you please tell when we can expect Flink 1.12.7 release? We are waiting
for the CVE fix.
Regards,
Suchithra
From: Chesnay Schepler
Sent: Wednesday, December 15, 2021 4:04 PM
To: Richard Deurwaarder
Cc: user
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
We will also
Hello,
Could you please tell when we can expect Flink 1.12.7 release? We are waiting
for the CVE fix.
Regards,
Suchithra
From: Chesnay Schepler
Sent: Wednesday, December 15, 2021 4:04 PM
To: Richard Deurwaarder
Cc: user
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
We will also update
We will also update the docker images.
On 15/12/2021 11:29, Richard Deurwaarder wrote:
Thanks for picking this up quickly!
I saw you've made a second minor upgrade to upgrade to log4j2 2.16
which is perfect.
Just to clarify: Will you also push new docker images for these
releases as well?
Thanks for picking this up quickly!
I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which is
perfect.
Just to clarify: Will you also push new docker images for these releases as
well? In particular flink 1.11.6 (Sorry we must upgrade soon! :()
On Tue, Dec 14, 2021 at 2:33 AM
Thanks TImo, that was helpful.
On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <
prasannakumarram...@gmail.com> wrote:
> Chesnay Thank you for the clarification.
>
> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler
> wrote:
>
>> The flink-shaded-zookeeper jars do not contain log4j.
>>
>> On
Chesnay Thank you for the clarification.
On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler wrote:
> The flink-shaded-zookeeper jars do not contain log4j.
>
> On 13/12/2021 14:11, Prasanna kumar wrote:
>
> Does Zookeeper have this vulnerability dependency ? I see references to
> log4j in Shaded
The flink-shaded-zookeeper jars do not contain log4j.
On 13/12/2021 14:11, Prasanna kumar wrote:
Does Zookeeper have this vulnerability dependency ? I see references
to log4j in Shaded Zookeeper jar included as part of the flink
distribution.
On Mon, Dec 13, 2021 at 1:40 PM Timo Walther
Does Zookeeper have this vulnerability dependency ? I see references to
log4j in Shaded Zookeeper jar included as part of the flink distribution.
On Mon, Dec 13, 2021 at 1:40 PM Timo Walther wrote:
> While we are working to upgrade the affected dependencies of all
> components, we recommend
While we are working to upgrade the affected dependencies of all
components, we recommend users follow the advisory of the Apache Log4j
Community. Also Ververica platform can be patched with a similar approach:
To configure the JVMs used by Ververica Platform, you can pass custom
Java options
Folks, what about the veverica platform. Is there any mitigation around it?
On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler wrote:
> I would recommend to modify your log4j configurations to set
> log4j2.formatMsgNoLookups to true*.*
>
> As far as I can tell this is equivalent to upgrading
I would recommend to modify your log4j configurations to set
log4j2.formatMsgNoLookups to true/./
/
/
As far as I can tell this is equivalent to upgrading log4j, which just
disabled this lookup by default.
/
/
On 10/12/2021 10:21, Richard Deurwaarder wrote:
Hello,
There has been a log4j2
Hello,
There has been a log4j2 vulnerability made public
https://www.randori.com/blog/cve-2021-44228/ which is making some waves :)
This post even explicitly mentions Apache Flink:
https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
And fortunately, I saw this
36 matches
Mail list logo
