Yeah we should bump that to be closer to the connector version released
with 1.16.0.
On 02/11/2022 15:53, Sergey Nuyanzin wrote:
still checking
however there is at least one finding I would like to highlight
currently elasticsearch connector depends on jackson-bom 2.13.2.20220328
which has 2 CVEs CVE-2022-42003[1] CVE-2022-42004[2] fixed in
2.13.4.20221013 [3]
Does it make sense to include it in this version?
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42003
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42004
[3]
https://github.com/FasterXML/jackson-databind/issues/3590#issue-1362567066
On Wed, Nov 2, 2022 at 12:01 PM Chesnay Schepler <ches...@apache.org> wrote:
Hi everyone,
Please review and vote on the release candidate #1 for the version
3.0.0, as follows:
[ ] +1, Approve the release
[ ] -1, Do not approve the release (please provide specific comments)
The complete staging area is available for your review, which includes:
* JIRA release notes [1],
* the official Apache source release to be deployed to dist.apache.org
[2], which are signed with the key with fingerprint C2EED7B111D464BA [3],
* all artifacts to be deployed to the Maven Central Repository [4],
* source code tag [5],
* website pull request listing the new release [6].
The vote will be open for at least 72 hours. It is adopted by majority
approval, with at least 3 PMC affirmative votes.
Note: This is the first release of an externalized connector, relying on
a new set of scripts. Double-check _everything_.
Thanks,
Release Manager
[1] https://issues.apache.org/jira/projects/FLINK/versions/12352291
[2]
https://dist.apache.org/repos/dist/dev/flink/flink-connector-elasticsearch-3.0.0-rc1/
[3] https://dist.apache.org/repos/dist/release/flink/KEYS
[4]
https://repository.apache.org/content/repositories/orgapacheflink-1543/
[5]
https://github.com/apache/flink-connector-elasticsearch/releases/tag/v3.0.0-rc1
[6] https://github.com/apache/flink-web/pull/579
