[
https://issues.apache.org/jira/browse/SOLR-15855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17628294#comment-17628294
]
Jan Høydahl commented on SOLR-15855:
------------------------------------
Test framework is not shipped with 9.0,
https://issues.apache.org/jira/browse/SOLR-15470
Also, htrace was removed when upgrading hadoop in 9.0,
https://issues.apache.org/jira/browse/SOLR-16039
So I think this Jira can be closed.
> CVEs in shadowed dependencies
> -----------------------------
>
> Key: SOLR-15855
> URL: https://issues.apache.org/jira/browse/SOLR-15855
> Project: Solr
> Issue Type: Bug
> Affects Versions: 8.11.1
> Reporter: Chris Adams
> Priority: Major
>
> Our Solr deployments had a number of CVEs flagged due to shadowed
> dependencies in some non-core components:
> * htrace-core4 pulls in jackson-databind, and hasn't been updated in many
> years since the project shut down around 2016. This leaves around 50 critical
> CVEs — although it's not clear whether any of these are actually exploitable
> in the Solr configuration it will generate a lot of noise for Solr users in
> security-conscious environments.
> This doesn't appear to be a hard dependency for Solr in normal use but I see
> that the HBase project has a plan to replace it with a shim:
> https://issues.apache.org/jira/browse/HBASE-24802
> * The test framework pulls in junit4-ant which has an old simple-xml
> vulnerable to
> [CVE-2017-1000190|https://nvd.nist.gov/vuln/detail/CVE-2017-1000190]:
> /opt/solr-8.11.1/dist/test-framework/lib/junit4-ant-2.7.2.jar
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
