busrau opened a new issue, #633: URL: https://github.com/apache/lucenenet/issues/633
Hi, We are using Lucene.Net package 3.0.3 version and sonar reports say there is a blocker vulnerability issue cause by SharpZipLib 0.86. Do you have any release plan to prevent this issue, because your other version is still beta and we currently use this lib in our prod. Sonar error is:ICSharpCode.SharpZipLib.dll | Reference: CVE-2021-32840 | CVSS Score: 9.8 | Category: CWE-22 | SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry `../evil.txt` may be extracted in the parent directory of `destFolder`. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.See Rule SharpZipLib already has an updated version. What do you think about that? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@lucenenet.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
