Hello Solr Team, We recently ran an AWS Inspector scan on our environment running Solr *9.9.0* and identified multiple vulnerabilities in bundled dependencies. These include (but may not be limited to):
- netty-common-4.1.114.Final.jar - netty-handler-4.1.114.Final.jar - hadoop-client-runtime-3.4.0.jar (multiple occurrences) - protobuf-java-util-3.25.3.jar - bcprov-jdk15on-1.70.jar - apache-mime4j-core-0.8.4.jar - poi-ooxml-5.2.2.jar - kafka-clients-3.9.0.jar - kotlin-stdlib-1.9.10.jar - jetty-server-10.0.22.jar - commons-beanutils-1.9.4.jar As part of our compliance requirements, we need to ensure these vulnerabilities are addressed or have mitigation plans. Could you please advise: 1. Whether updates to these dependencies are already planned or in progress for the next Solr releases. 2. An estimated timeline (ETA) for when fixes or upgraded dependencies will be available. 3. If any backported security patches are planned for Solr 9.9.x. This information will help us align our upgrade planning and ensure we remain compliant. Thank you for your support and the continued work on Solr. -- Nandakumar C S *SOC*| Filecloud site: www.filecloud.com email: nandaku...@filecloud.com
