[
https://issues.apache.org/jira/browse/SOLR-15843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17472827#comment-17472827
]
Gus Heck commented on SOLR-15843:
---------------------------------
[~aaronlab] commenting on closed issues is not the way to start a discussion.
Please use the mailing list. If you were subscribed you would know that this
has been discussed many times there. (and you probably can find an answer
without waiting for a response by checking the archives!).
https://solr.apache.org/community.html
That said, there is also information already published on this page that you
may find useful:
https://cwiki.apache.org/confluence/display/solr/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools
The TLDR is that the most recent CVE
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832) that is fixed
by 2.17.1 would require you to intentionally enable it via configuration that
we do not supply, and that configuration is obscure and unlikely, so this is
not considered a significant risk for Solr.
Finally if you searched Jira you would have found that there is already a fix
committed: https://issues.apache.org/jira/browse/SOLR-15871
> Update Log4J dependency
> -----------------------
>
> Key: SOLR-15843
> URL: https://issues.apache.org/jira/browse/SOLR-15843
> Project: Solr
> Issue Type: Task
> Reporter: Mike Drob
> Assignee: Mike Drob
> Priority: Critical
> Fix For: 9.0, 8.11.1
>
> Time Spent: 6.5h
> Remaining Estimate: 0h
>
> Log4j 2.15 is about to be released, we should update when it is available.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
