Hi Team, Any updates on Flink 1.13.6 version release?
Regards, Surendra Lalwani On Fri, Feb 4, 2022 at 1:23 PM Martijn Visser <mart...@ververica.com> wrote: > Hi Surendra, > > You can follow the discussion on this topic in the Dev mailing list [1]. I > would expect it in the next couple of weeks. > > Best regards, > > Martijn > > [1] https://lists.apache.org/thread/n417406j125n080vopljgfflc45yygh4 > > On Fri, 4 Feb 2022 at 08:49, Surendra Lalwani <surendra.lalw...@swiggy.in> > wrote: > >> Hi Team, >> >> Any ETA on Flink version 1.13.6 release. >> >> Thanks and Regards , >> Surendra Lalwani >> >> >> On Sun, Jan 9, 2022 at 3:50 PM David Morávek <d...@apache.org> wrote: >> >>> Flink community officially only supports current and previous minor >>> versions [1] (1.13, 1.14) with bug fixes. Personally I wouldn’t expect >>> there will be another patch release for 1.12. >>> >>> If you really need an extra release for the unsupported version, the >>> most straightforward approach would be manually building the Flink >>> distribution from sources [2] with the patches you need. >>> >>> [1] >>> https://flink.apache.org/downloads.html#update-policy-for-old-releases >>> [2] >>> >>> https://github.com/apache/flink/tree/release-1.12#building-apache-flink-from-source >>> >>> D. >>> >>> On Sun 9. 1. 2022 at 10:10, V N, Suchithra (Nokia - IN/Bangalore) < >>> suchithra....@nokia.com> wrote: >>> >>>> Hi David, >>>> >>>> >>>> >>>> As per the below comments, Flink 1.14.3 is in preparation and this >>>> hasn't started yet for Flink 1.13.6. Flink 1.12.8 release will be >>>> planned after this? If there is no current plan, could you please let us >>>> know what will be the regular release timing for 1.12.8 version. >>>> >>>> >>>> >>>> Regards, >>>> >>>> Suchithra >>>> >>>> >>>> >>>> *From:* David Morávek <d...@apache.org> >>>> *Sent:* Sunday, January 9, 2022 12:11 AM >>>> *To:* V N, Suchithra (Nokia - IN/Bangalore) <suchithra....@nokia.com> >>>> *Cc:* Chesnay Schepler <ches...@apache.org>; Martijn Visser < >>>> mart...@ververica.com>; Michael Guterl <gute...@justin.tv>; Parag >>>> Somani <somanipa...@gmail.com>; patrick.eif...@sony.com; Richard >>>> Deurwaarder <rich...@xeli.eu>; User <user@flink.apache.org>; >>>> subharaj.ma...@gmail.com; swamy.haj...@gmail.com >>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability >>>> >>>> >>>> >>>> Hi Suchithra, >>>> >>>> >>>> >>>> there is currently no plan on doing another 1.12 release >>>> >>>> >>>> >>>> D. >>>> >>>> >>>> >>>> On Sat 8. 1. 2022 at 18:02, V N, Suchithra (Nokia - IN/Bangalore) < >>>> suchithra....@nokia.com> wrote: >>>> >>>> Hi, >>>> >>>> >>>> >>>> When can we expect the flink 1.12 releases with log4j 2.17.1? >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Suchithra >>>> >>>> >>>> >>>> *From:* Martijn Visser <mart...@ververica.com> >>>> *Sent:* Thursday, January 6, 2022 7:45 PM >>>> *To:* patrick.eif...@sony.com >>>> *Cc:* David Morávek <d...@apache.org>; swamy.haj...@gmail.com; >>>> subharaj.ma...@gmail.com; V N, Suchithra (Nokia - IN/Bangalore) < >>>> suchithra....@nokia.com>; Chesnay Schepler <ches...@apache.org>; User < >>>> user@flink.apache.org>; Michael Guterl <gute...@justin.tv>; Richard >>>> Deurwaarder <rich...@xeli.eu>; Parag Somani <somanipa...@gmail.com> >>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability >>>> >>>> >>>> >>>> Hi all, >>>> >>>> >>>> >>>> The ticket for upgrading Log4J to 2.17.0 is >>>> https://issues.apache.org/jira/browse/FLINK-25375. There's also the >>>> update to Log4j 2.17.1 which is tracked under >>>> https://issues.apache.org/jira/browse/FLINK-25472 >>>> >>>> >>>> >>>> As you can see, both have a fix version set to 1.14.3 and 1.13.6. These >>>> versions haven't been released yet. Flink 1.14.3 is in preparation, this >>>> hasn't started yet for Flink 1.13.6. >>>> >>>> >>>> >>>> Best regards, >>>> >>>> >>>> >>>> Martijn >>>> >>>> >>>> >>>> On Thu, 6 Jan 2022 at 15:05, <patrick.eif...@sony.com> wrote: >>>> >>>> Hi, >>>> >>>> >>>> >>>> just to be sure: Which Flink Releases for 1.14 and 1.13 have the >>>> upgraded log4j version 2.17.0? >>>> >>>> Are those already deployed to docker? >>>> >>>> >>>> >>>> Many Thanks in Advance. >>>> >>>> >>>> >>>> Kind Regards, >>>> >>>> >>>> >>>> Patrick >>>> >>>> -- >>>> >>>> Patrick Eifler >>>> >>>> >>>> >>>> Senior Software Engineer (BI) >>>> >>>> Cloud Gaming Engineering & Infrastructure >>>> Sony Interactive Entertainment LLC >>>> >>>> Wilhelmstraße 118, 10963 Berlin >>>> >>>> >>>> Germany >>>> >>>> E: patrick.eif...@sony.com >>>> >>>> >>>> >>>> *From: *David Morávek <d...@apache.org> >>>> *Date: *Wednesday, 29. December 2021 at 09:35 >>>> *To: *narasimha <swamy.haj...@gmail.com> >>>> *Cc: *Debraj Manna <subharaj.ma...@gmail.com>, Martijn Visser < >>>> mart...@ververica.com>, V N, Suchithra (Nokia - IN/Bangalore) < >>>> suchithra....@nokia.com>, Chesnay Schepler <ches...@apache.org>, user < >>>> user@flink.apache.org>, Michael Guterl <gute...@justin.tv>, Richard >>>> Deurwaarder <rich...@xeli.eu>, Parag Somani <somanipa...@gmail.com> >>>> *Subject: *Re: CVE-2021-44228 - Log4j2 vulnerability >>>> >>>> Please follow the above mentioned ML thread for more details. Please >>>> note that this is a REGULAR release that is not motivated by the log4j CVE, >>>> so the stability of the release is the more important factor then having it >>>> out as soon as possible. >>>> >>>> >>>> >>>> D. >>>> >>>> >>>> >>>> On Mon, Dec 27, 2021 at 6:33 AM narasimha <swamy.haj...@gmail.com> >>>> wrote: >>>> >>>> Hi folks, >>>> >>>> >>>> >>>> When can we expect the release to be made available to the community? >>>> >>>> >>>> >>>> On Wed, Dec 22, 2021 at 3:07 PM David Morávek <d...@apache.org> wrote: >>>> >>>> Hi Debraj, >>>> >>>> >>>> >>>> we're currently not planning another emergency release as this CVE is >>>> not as critical for Flink users as the previous one. However, this patch >>>> will be included in all upcoming patch & minor releases. The patch release >>>> for the 1.14.x branch is already in progress [1] (it may be bit delayed due >>>> to the holiday season). >>>> >>>> >>>> >>>> [1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk >>>> <https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$> >>>> >>>> >>>> >>>> Best, >>>> >>>> D. >>>> >>>> >>>> >>>> On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <subharaj.ma...@gmail.com> >>>> wrote: >>>> >>>> Any idea when can we expect >>>> https://issues.apache.org/jira/browse/FLINK-25375 >>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$> >>>> to be released? >>>> >>>> >>>> >>>> On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <mart...@ververica.com> >>>> wrote: >>>> >>>> Hi, >>>> >>>> >>>> >>>> The status and Flink ticket for upgrading to Log4j 2.17.0 can be >>>> tracked at https://issues.apache.org/jira/browse/FLINK-25375 >>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$> >>>> . >>>> >>>> >>>> >>>> Best regards, >>>> >>>> >>>> >>>> Martijn >>>> >>>> >>>> >>>> On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) < >>>> suchithra....@nokia.com> wrote: >>>> >>>> Hi, >>>> >>>> >>>> >>>> It seems there is high severity vulnerability in log4j 2.16.0.( >>>> CVE-2021-45105 >>>> <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$> >>>> ) >>>> >>>> Refer : https://logging.apache.org/log4j/2.x/security.html >>>> <https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$> >>>> >>>> Any update on this please? >>>> >>>> >>>> >>>> Regards, >>>> >>>> Suchithra >>>> >>>> >>>> >>>> *From:* Chesnay Schepler <ches...@apache.org> >>>> *Sent:* Thursday, December 16, 2021 4:35 PM >>>> *To:* Parag Somani <somanipa...@gmail.com> >>>> *Cc:* Michael Guterl <gute...@justin.tv>; V N, Suchithra (Nokia - >>>> IN/Bangalore) <suchithra....@nokia.com>; Richard Deurwaarder < >>>> rich...@xeli.eu>; user <user@flink.apache.org> >>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability >>>> >>>> >>>> >>>> We will announce the releases when the binaries are available. >>>> >>>> >>>> >>>> On 16/12/2021 05:37, Parag Somani wrote: >>>> >>>> Thank you Chesnay for expediting this fix...! >>>> >>>> >>>> >>>> Can you suggest, when can I get binaries for 1.14.2 flink version? >>>> >>>> >>>> >>>> On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ches...@apache.org> >>>> wrote: >>>> >>>> We will push docker images for all new releases, yes. >>>> >>>> >>>> >>>> On 16/12/2021 01:16, Michael Guterl wrote: >>>> >>>> Will you all be pushing Docker images for the 1.11.6 release? >>>> >>>> >>>> >>>> On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ches...@apache.org> >>>> wrote: >>>> >>>> The current ETA is 40h for an official announcement. >>>> >>>> We are validating the release today (concludes in 16h), publish it >>>> tonight, then wait for mirrors to be sync (about a day), then we announce >>>> it. >>>> >>>> >>>> >>>> On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote: >>>> >>>> Hello, >>>> >>>> >>>> >>>> Could you please tell when we can expect Flink 1.12.7 release? We are >>>> waiting for the CVE fix. >>>> >>>> >>>> >>>> Regards, >>>> >>>> Suchithra >>>> >>>> >>>> >>>> >>>> >>>> *From:* Chesnay Schepler <ches...@apache.org> <ches...@apache.org> >>>> *Sent:* Wednesday, December 15, 2021 4:04 PM >>>> *To:* Richard Deurwaarder <rich...@xeli.eu> <rich...@xeli.eu> >>>> *Cc:* user <user@flink.apache.org> <user@flink.apache.org> >>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability >>>> >>>> >>>> >>>> We will also update the docker images. >>>> >>>> >>>> >>>> On 15/12/2021 11:29, Richard Deurwaarder wrote: >>>> >>>> Thanks for picking this up quickly! >>>> >>>> >>>> >>>> I saw you've made a second minor upgrade to upgrade to log4j2 2.16 >>>> which is perfect. >>>> >>>> >>>> >>>> Just to clarify: Will you also push new docker images for these >>>> releases as well? In particular flink 1.11.6 (Sorry we must upgrade soon! >>>> :() >>>> >>>> >>>> >>>> On Tue, Dec 14, 2021 at 2:33 AM narasimha <swamy.haj...@gmail.com> >>>> wrote: >>>> >>>> Thanks TImo, that was helpful. >>>> >>>> >>>> >>>> On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar < >>>> prasannakumarram...@gmail.com> wrote: >>>> >>>> Chesnay Thank you for the clarification. >>>> >>>> >>>> >>>> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ches...@apache.org> >>>> wrote: >>>> >>>> The flink-shaded-zookeeper jars do not contain log4j. >>>> >>>> >>>> >>>> On 13/12/2021 14:11, Prasanna kumar wrote: >>>> >>>> Does Zookeeper have this vulnerability dependency ? I see references to >>>> log4j in Shaded Zookeeper jar included as part of the flink distribution. >>>> >>>> >>>> >>>> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org> >>>> wrote: >>>> >>>> While we are working to upgrade the affected dependencies of all >>>> components, we recommend users follow the advisory of the Apache Log4j >>>> Community. Also Ververica platform can be patched with a similar >>>> approach: >>>> >>>> To configure the JVMs used by Ververica Platform, you can pass custom >>>> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the >>>> following to your platform values.yaml, or append to the existing value >>>> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy >>>> the platform with Helm: >>>> env: >>>> - name: JAVA_TOOL_OPTIONS >>>> value: -Dlog4j2.formatMsgNoLookups=true >>>> >>>> >>>> For any questions, please contact us via our support portal. >>>> >>>> Regards, >>>> Timo >>>> >>>> On 11.12.21 06:45, narasimha wrote: >>>> > Folks, what about the veverica platform. Is there any >>>> mitigation around it? >>>> > >>>> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ches...@apache.org >>>> > <mailto:ches...@apache.org>> wrote: >>>> > >>>> > I would recommend to modify your log4j configurations to set >>>> > log4j2.formatMsgNoLookups to true/./ >>>> > / >>>> > / >>>> > As far as I can tell this is equivalent to upgrading log4j, which >>>> > just disabled this lookup by default. >>>> > / >>>> > / >>>> > On 10/12/2021 10:21, Richard Deurwaarder wrote: >>>> >> Hello, >>>> >> >>>> >> There has been a log4j2 vulnerability made public >>>> >> https://www.randori.com/blog/cve-2021-44228/ >>>> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$> >>>> >> <https://www.randori.com/blog/cve-2021-44228/ >>>> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>> >>>> which is making >>>> >> some waves :) >>>> >> This post even explicitly mentions Apache Flink: >>>> >> >>>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ >>>> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$> >>>> >> < >>>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ >>>> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$> >>>> > >>>> >> >>>> >> And fortunately, I saw this was already on your radar: >>>> >> https://issues.apache.org/jira/browse/FLINK-25240 >>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$> >>>> >> <https://issues.apache.org/jira/browse/FLINK-25240 >>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$> >>>> > >>>> >> >>>> >> What would the advice be for flink users? Do you expect to push a >>>> >> minor to fix this? Or is it advisable to upgrade to the latest >>>> >> log4j2 version manually for now? >>>> >> >>>> >> Thanks for any advice! >>>> > >>>> > >>>> > >>>> > >>>> > -- >>>> > A.Narasimha Swamy >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> A.Narasimha Swamy >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> Regards, >>>> Parag Surajmal Somani. >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> A.Narasimha Swamy >>>> >>>> >> >> ------------------------------ >> IMPORTANT NOTICE: This e-mail, including any attachments, may contain >> confidential information and is intended only for the addressee(s) named >> above. If you are not the intended recipient(s), you should not >> disseminate, distribute, or copy this e-mail. Please notify the sender by >> reply e-mail immediately if you have received this e-mail in error and >> permanently delete all copies of the original message from your system. >> E-mail transmission cannot be guaranteed to be secure as it could be >> intercepted, corrupted, lost, destroyed, arrive late or incomplete, or >> contain viruses. Company accepts no liability for any damage or loss of >> confidential information caused by this email or due to any virus >> transmitted by this email or otherwise. > > -- IMPORTANT NOTICE: This e-mail, including any attachments, may contain confidential information and is intended only for the addressee(s) named above. If you are not the intended recipient(s), you should not disseminate, distribute, or copy this e-mail. Please notify the sender by reply e-mail immediately if you have received this e-mail in error and permanently delete all copies of the original message from your system. E-mail transmission cannot be guaranteed to be secure as it could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Company accepts no liability for any damage or loss of confidential information caused by this email or due to any virus transmitted by this email or otherwise.
