[
https://issues.apache.org/jira/browse/SOLR-17127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Høydahl resolved SOLR-17127.
--------------------------------
Resolution: Information Provided
Hi,
We do not accept broad "security scan reports" as this, please read
[https://solr.apache.org/security.html], so closing this JIRA.
What would be useful is if you focus on *ONE CVE* that you believe can be
exploited in Solr. If you identify one, you can help the project by trying to
exploit the CVE and reporting reproduction steps, or even a PR such as an
upgrade to the vulnerable dependency. You may use the mailing lists to discuss
such findings before opening a JIRA.
Another way you may help the project is if you find a CVE that is reported by
your scanner tool, but is not exploitable in Solr. Then you can file a PR to
add it to the [not-exploitable table of security
page|https://solr.apache.org/security.html#cve-reports-for-apache-solr-dependencies]
if it is not already listed. Users can then use our VEX file as input to
scanners to avoid false positives.
> Update components in solr 8.11.2 and 9.4.1
> ------------------------------------------
>
> Key: SOLR-17127
> URL: https://issues.apache.org/jira/browse/SOLR-17127
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Rafael Rios Saavedra
> Priority: Major
>
> There are several components affected by CVEs in solr: 8.11.2 and 9.4.1.
> You could list them by running trivy scans:
> {code:java}
> $ trivy image --vuln-type library solr:8.11.2
> $ trivy image --vuln-type library solr:9.4.1 {code}
> is there any plan to update them ? I could not find any reference.
> Thanks forehand
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
