Just looked at the branch, and thank you for doing the back port! Looking at the code, it would have taken me a week of work just do those back ports!
> On Jun 12, 2026, at 10:52 AM, Richard Zowalla <[email protected]> wrote: > > So Martin merged all the stuff to 1.x - any volunteer to run the release? > > > Am 12.06.2026 um 16:24 schrieb Richard Zowalla <[email protected]>: > > > > Everything in question should now either be on opennlp-1.x branch or open > > as a PR ;-) > > > >> Am 12.06.2026 um 15:59 schrieb Martin Wiesner <[email protected]>: > >> > >> Hi all, > >> > >> I’ve just pushed a new 'opennlp-1.x‘ maintenance branch. It contains most > >> of the (transient) dep updates as identified by Richard, see below. > >> Moreover, it has a fix for OPENNLP-1826 which I could easily cherry-pick > >> from 2.x maintenance branch. > >> > >> Rn, 1819, 1820 and 1821 require a deeper look and more work to be > >> integrated. The delta is just to big to for easy cherries here. > >> > >> @ #3: Yes - should be conducted by PMC members. > >> @ #4: I’d like to add, we should declare 1.x EOL, once and if we get an > >> 1.9.5 (last) release out. > >> > >> Best > >> Martin > >> > >>> Am 12.06.2026 um 15:15 schrieb Richard Zowalla <[email protected]>: > >>> > >>> From what I can see after c88f57814c0af0dccf471b895a35981ecdac2e7a - the > >>> work would be > >>> > >>> 1. Cherry pick or port the CVE fixes from 2.x into that branch. This > >>> would be (according to Martin - thx btw): OPENNLP-1819, 1820, 1821 and > >>> 1826 (best case) > >>> 2. Fix the transient CVEs (all in brat annotator) > >>> > >>> Dependency: com.fasterxml.jackson.core:jackson-databind > >>> Current: 2.10.1 > >>> Issue: Long list of deserialization/DoS CVEs: CVE-2020-25649 (XXE), > >>> CVE-2020-36179/36180/36181/36182 + 2021-20190 > >>> (polymorphic > >>> deser gadgets), CVE-2022-42003 / CVE-2022-42004 (DoS) > >>> Fix to: ≥ 2.12.7.1 <http://2.12.7.1> (min) — better a current 2.18.x > >>> ──────────────────────────────────────── > >>> Dependency: jackson-core / jackson-annotations > >>> Current: 2.10.1 > >>> Issue: Keep in lockstep with databind (BOM) > >>> Fix to: same train as databind > >>> ──────────────────────────────────────── > >>> Dependency: org.glassfish.jersey.* (common, client, server, > >>> container-grizzly2, media-json-jackson, media-jaxb, > >>> entity-filtering) > >>> Current: 2.30.1 > >>> Issue: CVE-2021-28168 — local info disclosure via world‑readable temp > >>> file in jersey-common (affects 2.28–2.33) > >>> Fix to: ≥ 2.34; for Java‑8 safety use 2.35 > >>> ──────────────────────────────────────── > >>> Dependency: org.glassfish.grizzly:grizzly-http-server / -http / -framework > >>> Current: 2.4.4 (2018) > >>> Issue: No single high CVE pinned to 2.4.4, but very stale; HTTP > >>> request-smuggling hardening landed in later 2.4.x. Pulled in > >>> transitively by Jersey > >>> Fix to: comes free when Jersey is bumped (2.35 → grizzly 2.4.4 still; > >>> 2.40+ ships newer grizzly) > >>> > >>> 3. After a release: Talk with ASF Security to alter the published CVEs to > >>> include the new release as fix version (as I guess this effort is mostly > >>> driven by static CVE scanners blaming openlp right now). > >>> 4. Decide in OpenNLP if and how many release lines we are willing to > >>> handle as a PMC. > >>> > >>> Gruß > >>> Richard > >>> > >>>> Am 09.06.2026 um 22:00 schrieb Richard Zowalla <[email protected]>: > >>>> > >>>> As written: I dont mind if we do a release (as long as I am not the > >>>> person doing it). > >>>> Aisde from the back ports, it might also need dependency updates as well > >>>> > >>>>> Am 09.06.2026 um 14:42 schrieb Jeff Zemerick <[email protected]>: > >>>>> > >>>>> Yes, thanks Eric and Suneel - Lucene/Solr 9. > >>>>> > >>>>> Thanks, > >>>>> Jeff > >>>>> > >>>>> > >>>>> > >>>>> On Mon, Jun 8, 2026 at 11:54 AM Suneel Marthi <[email protected]> > >>>>> wrote: > >>>>>> > >>>>>> concur with Eric - it's {Lucene, Solr} - 9x. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> सोम, 8 जून 2026 को 11:19 am बजे को Eric Pugh < > >>>>>> [email protected]> ने लिखा: > >>>>>> > >>>>>>> I think Jeff meant to say Lucene 9 (and Solr 9)! > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> On Jun 8, 2026, at 10:40 AM, Richard Zowalla <[email protected]> > >>>>>>> wrote: > >>>>>>>> > >>>>>>>> No, OpenNLP is used in Lucene. > >>>>>>>> > >>>>>>>>> Am 08.06.2026 um 16:29 schrieb Suneel Marthi > >>>>>>>>> <[email protected] > >>>>>>>> : > >>>>>>>>> > >>>>>>>>> Do we now have a Lucene/Solr dependency in OpenNLP ? or am I > >>>>>>>>> reading > >>>>>>>>> this wrong? > >>>>>>>>> > >>>>>>>>> सोम, 8 जून 2026 को 10:26 am बजे को Richard Zowalla <[email protected]> > >>>>>>> ने > >>>>>>>>> लिखा: > >>>>>>>>> > >>>>>>>>>> Hi all, > >>>>>>>>>> > >>>>>>>>>> This page lists Lucene 8 as EOL: > >>>>>>>>>> https://endoflife.date/apache-lucene > >>>>>>>>>> <https://endoflife.date/apache-lucene> > >>>>>>> <https://endoflife.date/apache-lucene > >>>>>>> <https://endoflife.date/apache-lucene>> > >>>>>>>>>> > >>>>>>>>>> And what I found here from SOLR is: > >>>>>>>>>> > >>>>>>>>>> "With Lucene 10 having been released, and therefore Lucene 8 > >>>>>>>>>> reaching > >>>>>>> EOL, > >>>>>>>>>> the Apache Lucene and Solr PMCs are no longer able to provide new > >>>>>>> releases > >>>>>>>>>> for Solr 8. Solr 8.11.4 will be the last release of Solr 8.“ > >>>>>>>>>> Cf. https://solr.apache.org/news.html#solr-8-reaches-end-of-life > >>>>>>>>>> <https://solr.apache.org/news.html#solr-8-reaches-end-of-life> < > >>>>>>> https://solr.apache.org/news.html#solr-8-reaches-end-of-life > >>>>>>> <https://solr.apache.org/news.html#solr-8-reaches-end-of-life>> > >>>>>>>>>> > >>>>>>>>>> Couldn’t find any authoritative source from the Lucene PMC > >>>>>>>>>> regarding > >>>>>>> only > >>>>>>>>>> maintaining 2 release lines, but the Solr posted the above. > >>>>>>>>>> > >>>>>>>>>> In general: No objections from my side, but the last 8.11.x > >>>>>>>>>> release of > >>>>>>>>>> Lucene was done 2 years ago - so IMHO there should be a clear > >>>>>>>>>> release > >>>>>>> plan > >>>>>>>>>> on their side, if we make the extra round-trip... > >>>>>>>>>> > >>>>>>>>>> Gruß > >>>>>>>>>> Richard > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>>> Am 08.06.2026 um 14:43 schrieb Jeff Zemerick > >>>>>>>>>>>> <[email protected] > >>>>>>>> : > >>>>>>>>>>> > >>>>>>>>>>> Hi all, > >>>>>>>>>>> > >>>>>>>>>>> About a month ago we had a few CVEs get addressed. (Thanks to > >>>>>>>>>>> those > >>>>>>>>>>> who took care of them.) Those fixes went into the 2.x branch and > >>>>>>>>>>> for > >>>>>>>>>>> 3.0. > >>>>>>>>>>> > >>>>>>>>>>> At least one of those CVEs affects 1.9.x. Normally, I don't think > >>>>>>>>>>> I > >>>>>>>>>>> would worry about it, but in this case, Apache Lucene depends on > >>>>>>>>>>> 1.9.x, and Lucene is still doing releases on that version (8.11), > >>>>>>>>>>> which is used by Solr 8. > >>>>>>>>>>> > >>>>>>>>>>> What are everyone's thoughts on doing a 1.9.5 release to address, > >>>>>>>>>>> in > >>>>>>>>>>> particular, OPENNLP-1820 > >>>>>>>>>>> (https://issues.apache.org/jira/browse/OPENNLP-1820 > >>>>>>>>>>> <https://issues.apache.org/jira/browse/OPENNLP-1820> < > >>>>>>> https://issues.apache.org/jira/browse/OPENNLP-1820 > >>>>>>> <https://issues.apache.org/jira/browse/OPENNLP-1820>>) and then > >>>>>>> making a > >>>>>>>>>>> PR to get 1.9.5 into Lucene (and then downstream into Solr)? > >>>>>>>>>>> > >>>>>>>>>>> Thanks, > >>>>>>>>>>> Jeff > >>>>>>>>>> > >>>>>>>>>> > >>>>>>> > >>>>>>> Disclaimer > >>>>>>> > >>>>>>> The information contained in this communication from the sender is > >>>>>>> confidential. It is intended solely for use by the recipient and > >>>>>>> others > >>>>>>> authorized to receive it. If you are not the recipient, you are hereby > >>>>>>> notified that any disclosure, copying, distribution or taking action > >>>>>>> in > >>>>>>> relation of the contents of this information is strictly prohibited > >>>>>>> and may > >>>>>>> be unlawful. > >>>>>>> > >>>>>>> This email has been scanned for viruses and malware, and may have been > >>>>>>> automatically archived by Mimecast, a leader in email security and > >>>>>>> cyber > >>>>>>> resilience. Mimecast integrates email defenses with brand protection, > >>>>>>> security awareness training, web security, compliance and other > >>>>>>> essential > >>>>>>> capabilities. Mimecast helps protect large and small organizations > >>>>>>> from > >>>>>>> malicious activity, human error and technology failure; and to lead > >>>>>>> the > >>>>>>> movement toward building a more resilient world. To find out more, > >>>>>>> visit > >>>>>>> our website. > >>>>>>> > >>>> > >>> > >> > > Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast, a leader in email security and cyber resilience. Mimecast integrates email defenses with brand protection, security awareness training, web security, compliance and other essential capabilities. Mimecast helps protect large and small organizations from malicious activity, human error and technology failure; and to lead the movement toward building a more resilient world. To find out more, visit our website.
