The Docker image for Flink 1.12.7 uses an older base image which comes with openssl 1.1.1k. There was a previous post in the OpenSSL mailing list reporting a low vulnerability being fixed with 3.0.6 and 1.1.1r (both versions being explicitly mentioned) [1]. Therefore, I understand the post in a way that only 3.0.x would be affected and, as a consequence, Docker images below 1.13- would be fine.
I verified Mason's finding that only 1.14+ Docker images are affected. No entire release is necessary as far as I understand. Theoretically, we would only have to push newer Docker images to the registry. I'm not sure what the right approach is when it comes to versioning. I'm curious about Chesnay's opinion on that one (CC'd). [1] https://mta.openssl.org/pipermail/openssl-announce/2022-October/000233.html On Tue, Nov 1, 2022 at 7:06 AM Prasanna kumar <prasannakumarram...@gmail.com> wrote: > Could we also get an emergency patch to 1.12 version as well , because > upgrading flink to a newer version on production in a short time would be > high in effort and longer in duration as well . > > Thanks, > Prasanna > > On Tue, Nov 1, 2022 at 11:30 AM Prasanna kumar < > prasannakumarram...@gmail.com> wrote: > >> If flink version 1.12 also affected ? >> >> Thanks, >> Prasanna. >> >> On Tue, Nov 1, 2022 at 10:40 AM Mason Chen <mas.chen6...@gmail.com> >> wrote: >> >>> Hi Tamir and Martjin, >>> >>> We have also noticed this internally. So far, we have found that the >>> *latest* Flink Java 11/Scala 2.12 docker images *1.14, 1.15, and 1.16* >>> are affected, which all have the *openssl 3.0.2 *dependency. It would >>> be good to discuss an emergency release when this patch comes out >>> tomorrow, as it is the highest priority level from their severity rating. >>> >>> Best, >>> Mason >>> >>> On Mon, Oct 31, 2022 at 1:10 PM Martijn Visser <martijnvis...@apache.org> >>> wrote: >>> >>>> Hi Tamir, >>>> >>>> That depends on a) if Flink is vulnerable and b) if yes, how vulnerable >>>> that would be. >>>> >>>> Best regards, >>>> >>>> Martijn >>>> >>>> Op ma 31 okt. 2022 om 19:22 schreef Tamir Sagi < >>>> tamir.s...@niceactimize.com> >>>> >>>>> Hey all, >>>>> >>>>> Following that link >>>>> https://eu01.z.antigena.com/l/CjXA7qEmnn79gc24BA2Hb6K2OVR-yGlLfMyp4smo5aXj5Z6WC0dSiHCRPqjSz972DkRNssUoTbxKmp5Pi3IaaVB983yfLJ9MUZY9LYtnBMEKJP5DcQqmhR3SktltkbVG8b7nSRa84kWSnwNJFuXFLA2GrMLTVG7mXdy59-ykolsAWAVAJSDgRdWCv6xN0iczvQ >>>>> >>>>> >>>>> due to critical vulnerability , there will be an important release of >>>>> OpenSSl v3.0.7 tomorrow November 1st. >>>>> >>>>> Is there any plan to update Flink with the newest version? >>>>> >>>>> Thanks. >>>>> Tamir >>>>> >>>>> >>>>> Confidentiality: This communication and any attachments are intended >>>>> for the above-named persons only and may be confidential and/or legally >>>>> privileged. Any opinions expressed in this communication are not >>>>> necessarily those of NICE Actimize. If this communication has come to you >>>>> in error you must take no action based on it, nor must you copy or show it >>>>> to anyone; please delete/destroy and inform the sender by e-mail >>>>> immediately. >>>>> Monitoring: NICE Actimize may monitor incoming and outgoing e-mails. >>>>> Viruses: Although we have taken steps toward ensuring that this e-mail >>>>> and attachments are free from any virus, we advise that in keeping with >>>>> good computing practice the recipient should ensure they are actually >>>>> virus >>>>> free. >>>>> >>>> -- >>>> Martijn >>>> https://twitter.com/MartijnVisser82 >>>> https://github.com/MartijnVisser >>>> >>>
