[
https://issues.apache.org/jira/browse/SOLR-16324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17575468#comment-17575468
]
Gus Heck commented on SOLR-16324:
---------------------------------
When I looked at this it seemed that this dependency is inherited from
hadoop-auth module, apparently via explicitly specfied transitive dependencies
in that build file, near a comment that these are used for
hadoop-common/Kerberos. Removing it didn't seem to inhibit compilation (top
level gradle classes task) in my ide.
Hadoop tests fail if I remove this dep, and did pass with 2.8 FWIW
Thus, there is a fair chance (but I will not not claim 100% certainty since
these are just quick checks) that non-kerberos users are unaffected.
Someone better able to truly verify Hadoop/Kerberos stuff works with 2.8 or
upgrade Hadoop dependencies if applicable should look at this.
> CVE-2022-33980 in commons-configuration2
> ----------------------------------------
>
> Key: SOLR-16324
> URL: https://issues.apache.org/jira/browse/SOLR-16324
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Andrew Kulick
> Priority: Major
>
> CVE-2022-33980 is present in org.apache.commons_commons-configuration2:2.7.
> Upgrading to version 2.8 will remediate the issue
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
