Hi Harry, Relevant, announced CVE's are listed here https://solr.apache.org/security.html and that page links a wiki page where false positives are usually listed.
-Gus On Tue, Nov 1, 2022 at 1:31 PM Silverman, Harry <jsilver...@gpo.gov.invalid> wrote: > Thanks for your reply, and I understand. > > It is a separate department that is running the vulnerability scans and > then reaching out to product owners for mitigation plans. I will relay > this info. > > It would help (me) if this info was presented on a public-facing solr > webpage, but no worries. > > Thanks again, > Jay > > -----Original Message----- > From: Shawn Heisey <apa...@elyograg.org> > Sent: Tuesday, November 1, 2022 9:23 AM > To: users@solr.apache.org > Subject: [External] Re: Upgrade Jackson / SOLR-16443 > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > > On 10/31/22 07:26, Silverman, Harry wrote: > > I see SOLR-16443 is being addressed in version 9. > > > > Will this jackson-databind update also be applied to 8.11? > > In the issue, Kevin indicated that the CVEs are unlikely to affect Solr, > and that our current stable branch for 9.x was being updated. We regularly > update our dependencies to keep them current. > > At this time, the change has not been backported to the 8.11 branch. > Even if that happens, the problem is not severe enough to warrant a new > 8.11.x release. > > I'm guessing that your motivation comes from running a vulnerability > scanner and getting a notification about a vulnerability in the old Solr > version. > > If you cannot just flag those reports as false positives, something you > could try is finding all the jackson jars in Solr and replacing them with a > version that has the fix. To make sure that there are no issues with > internal APIs, you would need to update ALL the jackson jars, not just > those with the vulnerability. Jackson has a very stable external API, so > that upgrade will PROBABLY work. I can't guarantee that, though. > > Thanks, > Shawn > > -- http://www.needhamsoftware.com (work) http://www.the111shift.com (play)
