The Apache Flink community has released emergency bugfix versions of Apache Flink for the 1.11, 1.12, 1.13 and 1.14 series.
We highly recommend all users to upgrade to the respective patch release.
As a result of that certain artifacts are not yet available:
- Maven artifacts are currently being synced to Maven central and will become available over the next 24 hours.
- The 1.11.6/1.12.7 Python binaries will be published at a later date.
This post will be continously updated to reflect the latest state.
To clarify and avoid confusion: The 1.14.1 / 1.13.4 / 1.12.6 / 1.11.5 releases, which were supposed to only contain a Log4j upgrade to 2.15.0, were skipped because CVE-2021-45046 was discovered during the release publication. Some artifacts were published to Maven Central, but no source/binary releases nor Docker images are available for those versions.