[jira] [Updated] (FLINK-23315) Bump log4j to 2.14.1 for version 1.13.2

Thu, 08 Jul 2021 05:34:11 -0700 


     [ 
https://issues.apache.org/jira/browse/FLINK-23315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Guilaume Kermorgant updated FLINK-23315:
----------------------------------------
    Description: 
Flink 1.13 is currently [relying on log4j 2.12.1|#L110],] which has a [low 
severity 
vulnerability|[https://nvd.nist.gov/vuln/detail/CVE-2020-9488]|https://nvd.nist.gov/vuln/detail/CVE-2020-9488].

This is fixed in Log4j 2.13.1.

Flink 1.14 will be released with Log4j 2.14.1, c.f. FLINK-22407

It would be nice for us to have it in Flink 1.13.2 as well, if the community 
thinks it's not a bad idea; this could also be a good opportunity for me to 
open a first PR in the Flink repo.

  was:
Flink 1.13 is currently [relying on log4j 
2.12.1|[https://github.com/apache/flink/blob/release-1.13/pom.xml#L110],] which 
has a [low severity 
vulnerability|[https://nvd.nist.gov/vuln/detail/CVE-2020-9488]|https://nvd.nist.gov/vuln/detail/CVE-2020-9488].]

This is fixed in Log4j 2.13.1.

Flink 1.14 will be released with Log4j 2.14.1, c.f. 
[FLINK-22407|https://issues.apache.org/jira/browse/FLINK-22407]

It would be nice for us to have it in Flink 1.13.2 as well, if the community 
thinks it's not a bad idea; this could also be a good opportunity for me to 
open a first PR in the Flink repo.


> Bump log4j to 2.14.1 for version 1.13.2
> ---------------------------------------
>
>                 Key: FLINK-23315
>                 URL: https://issues.apache.org/jira/browse/FLINK-23315
>             Project: Flink
>          Issue Type: Improvement
>            Reporter: Guilaume Kermorgant
>            Priority: Minor
>             Fix For: 1.13.2
>
>
> Flink 1.13 is currently [relying on log4j 2.12.1|#L110],] which has a [low 
> severity 
> vulnerability|[https://nvd.nist.gov/vuln/detail/CVE-2020-9488]|https://nvd.nist.gov/vuln/detail/CVE-2020-9488].
> This is fixed in Log4j 2.13.1.
> Flink 1.14 will be released with Log4j 2.14.1, c.f. FLINK-22407
> It would be nice for us to have it in Flink 1.13.2 as well, if the community 
> thinks it's not a bad idea; this could also be a good opportunity for me to 
> open a first PR in the Flink repo.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to