ppkarwasz commented on PR #152: URL: https://github.com/apache/solr-site/pull/152#issuecomment-3468291784
The current VEX statement is explicitly scoped to the version range `9.0.0–9.9.0`. If a future Solr release includes `commons-lang3` version `3.15.0` or higher, the analysis would need to be redone from scratch, since the relevant code paths could have changed. This assessment was performed manually and verified against version `9.9.0`, so it would be more accurate to narrow the statement to that specific release rather than the entire range. For future releases, the dependency has already been upgraded to `commons-lang3:3.18.0` in apache/solr#3549, which fully addresses the underlying CVE. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
