Hi Francisco, KMW Technology provides commercial support for Solr 8.11.x and we maintain a custom build that fixes many of these CVEs. Let me know if you are interested and we can share some more details. Best, -Kevin
On Mon, May 27, 2024 at 6:52 AM Francisco Jose Mulero <francisco-jose.mul...@broadcom.com.invalid> wrote: > Hi > > The library software.amazon.ion/ion-java is currently fixed to version > 1.0.2 [1]. That library is provided along with the version 8.11.3. I am > not sure where it comes from but that version has a high CVE reported > (CVE-2024-21634 [2]) . Is there any plan to update it? > > [1] > > https://github.com/apache/solr/blob/2b28161cc565f695e0ec0761a0c3b0f4c09074f9/versions.lock#L453C1-L453C35 > [2] https://nvd.nist.gov/vuln/detail/CVE-2024-21634 > > -- > This electronic communication and the information and any files > transmitted > with it, or attached to it, are confidential and are intended solely for > the use of the individual or entity to whom it is addressed and may > contain > information that is confidential, legally privileged, protected by privacy > laws, or otherwise restricted from disclosure to anyone else. If you are > not the intended recipient or the person responsible for delivering the > e-mail to the intended recipient, you are hereby notified that any use, > copying, distributing, dissemination, forwarding, printing, or copying of > this e-mail is strictly prohibited. If you received this e-mail in error, > please return the e-mail to the sender, delete it from your computer, and > destroy any printed copy of it. >
