Where do you see that list? Looking in Maven, you see clearly that solrj 8.9 depends on the new jetty jars: https://mvnrepository.com/artifact/org.apache.solr/solr-solrj/8.9.0
Also, the jetty jars in solrj-lib folder in the binary download of Solr contains the updated jars Jan > 13. jul. 2021 kl. 10:53 skrev Craig Wrigglesworth > <craig.wriggleswo...@autotrader.co.uk.INVALID>: > > Hi, > > I was pleased to see that jetty was updated in the Solr 8.9 release > > SOLR-15316: Upgrade Jetty to 9.4.41.v20210516 > (janhoy, Mike Drob) > > However I still see the older jetty and netty dependencies in solrj 8.9.0 so > we still have all the accompanying CVE issues. Should Solrj not have been > updated at the same time? > > [INFO] +- org.apache.solr:solr-solrj:jar:8.9.0:compile > [INFO] | +- commons-io:commons-io:jar:2.8.0:compile > [INFO] | +- io.netty:netty-buffer:jar:4.1.60.Final:compile > [INFO] | +- io.netty:netty-codec:jar:4.1.60.Final:compile > [INFO] | +- io.netty:netty-common:jar:4.1.60.Final:compile > [INFO] | +- io.netty:netty-handler:jar:4.1.60.Final:compile > [INFO] | +- io.netty:netty-resolver:jar:4.1.60.Final:compile > [INFO] | +- io.netty:netty-transport:jar:4.1.60.Final:compile > [INFO] | +- io.netty:netty-transport-native-epoll:jar:4.1.60.Final:compile > [INFO] | +- > io.netty:netty-transport-native-unix-common:jar:4.1.60.Final:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.6.1:compile > [INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile > [INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.14:compile > [INFO] | +- org.apache.httpcomponents:httpmime:jar:4.5.13:compile > [INFO] | +- org.apache.zookeeper:zookeeper:jar:3.6.2:compile > [INFO] | +- org.apache.zookeeper:zookeeper-jute:jar:3.6.2:compile > [INFO] | +- org.codehaus.woodstox:stax2-api:jar:3.1.4:compile > [INFO] | +- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:compile > [INFO] | +- org.eclipse.jetty:jetty-alpn-client:jar:9.4.38.v20210224:compile > [INFO] | +- > org.eclipse.jetty:jetty-alpn-java-client:jar:9.4.38.v20210224:compile > [INFO] | +- org.eclipse.jetty:jetty-client:jar:9.4.38.v20210224:compile > [INFO] | +- org.eclipse.jetty:jetty-http:jar:9.4.38.v20210224:compile > [INFO] | +- org.eclipse.jetty:jetty-io:jar:9.4.38.v20210224:compile > [INFO] | +- org.eclipse.jetty:jetty-util:jar:9.4.38.v20210224:compile > [INFO] | +- org.eclipse.jetty.http2:http2-client:jar:9.4.38.v20210224:compile > [INFO] | +- org.eclipse.jetty.http2:http2-common:jar:9.4.38.v20210224:compile > [INFO] | +- org.eclipse.jetty.http2:http2-hpack:jar:9.4.38.v20210224:compile > [INFO] | +- > org.eclipse.jetty.http2:http2-http-client-transport:jar:9.4.38.v20210224:compile > [INFO] | \- org.xerial.snappy:snappy-java:jar:1.1.7.6:compile > Unless expressly stated otherwise in this email, this e-mail is sent on > behalf of Auto Trader Limited Registered Office: 1 Tony Wilson Place, > Manchester, Lancashire, M15 4FN (Registered in England No. 03909628). Auto > Trader Limited is part of the Auto Trader Group Plc group. This email and any > files transmitted with it are confidential and may be legally privileged, and > intended solely for the use of the individual or entity to whom they are > addressed. If you have received this email in error please notify the sender. > This email message has been swept for the presence of computer viruses.
