That's right, they are referenced in POMs published with the jars, though.
But that's minor.
On Wed, Dec 15, 2021 at 12:28 PM Chesnay Schepler
wrote:
> AFAIK none of the jars we publish actually contains log4j.
> It's only bundled by the distribution/python binaries/docker images.
>
> Hence I
AFAIK none of the jars we publish actually contains log4j.
It's only bundled by the distribution/python binaries/docker images.
Hence I don't think the jars help in this case.
On 15/12/2021 10:42, Stephan Ewen wrote:
Given that these artifacts are published already, users can use them if
they
Given that these artifacts are published already, users can use them if
they want to update now:
For example:
https://search.maven.org/artifact/org.apache.flink/flink-core/1.14.1/jar
Just for the users that really want to update now (rather than rely on the
mitigation via config) and are not as
Thank you for managing these updates Chesnay!
On Tue, Dec 14, 2021 at 3:51 PM Chesnay Schepler wrote:
> Since the maven artifacts have already been published we will use the
> next patch version for each release, i.e.:
> 1.11.6
> 1.12.7
> 1.13.5
> 1.14.2
>
> (We could technically just update
Since the maven artifacts have already been published we will use the
next patch version for each release, i.e.:
1.11.6
1.12.7
1.13.5
1.14.2
(We could technically just update the source/binaries, but that seems
fishy).
On 14/12/2021 22:38, Chesnay Schepler wrote:
I'm canceling the release
I'm canceling the release because the issue was not fully fixed in Log4j
2.15.0; see CVE-2021-45046.
I will start preparing new release candidates that use Log4j 2.16.0 .
On 14/12/2021 21:28, Chesnay Schepler wrote:
The vote duration has passed and we have approved the releases.
Binding
