Hi Francisco, There are no plans for another Solr 8.11.x release, and I don't expect there to be one if the remedy is upgrading the JAR manually which any user can do. That's also only for a module of Solr that a subset of users must opt-in to use for this to even be applicable. Also, that CVE is just a DOS attack -- these usually don't concern me.
~ David On Mon, May 27, 2024 at 6:52 AM Francisco Jose Mulero <francisco-jose.mul...@broadcom.com.invalid> wrote: > > Hi > > The library software.amazon.ion/ion-java is currently fixed to version > 1.0.2 [1]. That library is provided along with the version 8.11.3. I am > not sure where it comes from but that version has a high CVE reported > (CVE-2024-21634 [2]) . Is there any plan to update it? > > [1] > https://github.com/apache/solr/blob/2b28161cc565f695e0ec0761a0c3b0f4c09074f9/versions.lock#L453C1-L453C35 > [2] https://nvd.nist.gov/vuln/detail/CVE-2024-21634 > > -- > This electronic communication and the information and any files transmitted > with it, or attached to it, are confidential and are intended solely for > the use of the individual or entity to whom it is addressed and may contain > information that is confidential, legally privileged, protected by privacy > laws, or otherwise restricted from disclosure to anyone else. If you are > not the intended recipient or the person responsible for delivering the > e-mail to the intended recipient, you are hereby notified that any use, > copying, distributing, dissemination, forwarding, printing, or copying of > this e-mail is strictly prohibited. If you received this e-mail in error, > please return the e-mail to the sender, delete it from your computer, and > destroy any printed copy of it. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org For additional commands, e-mail: dev-h...@solr.apache.org
