[
https://issues.apache.org/jira/browse/SOLR-15911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17542400#comment-17542400
]
Andras Salamon commented on SOLR-15911:
---------------------------------------
Is it still valid? It seems to me we are using a newer protobuf right now
[https://github.com/apache/solr/blob/cfcd9e050815688c155b037b91779afb427e89e1/versions.lock#L47-L48]
{noformat}
com.google.protobuf:protobuf-java:3.19.4 (9 constraints: 2183ee29)
com.google.protobuf:protobuf-java-util:3.19.2 (3 constraints: 422b4c2e)
{noformat}
> Protobuf 3.16.1 compatibility
> -----------------------------
>
> Key: SOLR-15911
> URL: https://issues.apache.org/jira/browse/SOLR-15911
> Project: Solr
> Issue Type: Test
> Reporter: Ivan Viaznikov
> Priority: Major
>
> A vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-22569) was
> discovered that affects protobuf-java. The version `3.11.0` of this library
> comes as a dependency with `org.apache.solr:solr-clustering` and
> `org.apache.solr:solr-analysis-extras`. However, the vulnerability is only
> fixed in versions `3.19.2`, `3.18.2` and `3.16.1`.
> Therefore, requesting you to clarify if any of the fixed versions of
> protobuf-java are compatible with `org.apache.solr:solr-clustering` and
> `org.apache.solr:solr-analysis-extras`
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
