Hi Colvin,

I do "trivy image solr:9.3.0" and receive this:

com.google.guava:guava (hadoop-shaded-guava-1.1.1.jar)
com.google.guava:guava (hadoop-client-runtime-3.3.5.jar)

So, it's shaded via hadoop. But I was just about to answer my own request 
anyhow: I checked hadoop source for release 3.3.5 and could not find any 
mention of the problematic class "FileBackedOutputStream". So, maybe this is 
not a problem at all?

Stefan

From: Colvin Cowie <colvin.cowie....@gmail.com>
Date: Monday, 21. August 2023 at 13:19
To: users@solr.apache.org <users@solr.apache.org>
Subject: Re: HIGH CVE-2023-2976 in Solr 9.3.0
[Sie erhalten nicht häufig E-Mails von colvin.cowie....@gmail.com. Weitere 
Informationen, warum dies wichtig ist, finden Sie unter 
https://aka.ms/LearnAboutSenderIdentification ]

Hello. Solr 9.3.0 itself shipped with guava-32.0.1-jre. Where exactly are
you seeing the old version?

On Mon, 21 Aug 2023 at 11:59, Pieper, Stefan
<stefan.pie...@coremedia.com.invalid> wrote:

> Hi there,
>
>
>
> a trivy image scan on solr:9.3.0 reveals CVE-2023-2976, rated HIGH, for
> com.google.guava:guava: 30.1.1-jre. I fail to find any information on
> relevance of this to Solr or Hadoop which introduces the dependency.
>
>
>
> Can you provide information on the severity of this CVE in context of Solr?
>
>
>
> Thanks!
>
> Stefan
>
>
>
> --
>
> Stefan Pieper
> Senior Software Engineer
>
> [image: A picture containing graphics, graphic design, font, logo
> Description automatically generated] <https://www.coremedia.com/>
>
>
>
> *Elevate Experience. Drive Impact.*
>
>
> E-Mail: stefan.pie...@coremedia.com
>
> *www.coremedia.com* <https://www.coremedia.com/>
>
> [image: A pink and red letter on a black background Description
> automatically generated with low confidence]
> <https://www.linkedin.com/company/coremedia-corp/>[image: A logo of a
> camera Description automatically generated with low confidence]
> <https://www.instagram.com/coremediacc/>[image: A picture containing
> colorfulness, screenshot, graphics, red Description automatically generated]
> <https://www.youtube.com/channel/UC3u29ExYv1263SfUBWnsgdQ>[image: A pink
> bird with wings Description automatically generated with low confidence]
> <https://twitter.com/coremedia?lang=en>
>
> [image: signature_3139397413]
> <https://resources.ecovadis.com/library/ecovadis-medals-recognizing-our-customers-achievements>
>
>
> --------------------------------------------------------------------------------
>
> CoreMedia GmbH
>
> Rödingsmarkt 9, 20459 Hamburg, Germany
>
> Managing Director: Sören Stamer
>
> Commercial Register: Amtsgericht Hamburg, HRB 162480
>
>
> --------------------------------------------------------------------------------
>
>
>

Reply via email to