[
https://issues.apache.org/jira/browse/SOLR-15911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17542454#comment-17542454
]
Eric Pugh commented on SOLR-15911:
----------------------------------
Makes sense to me. As an aside, I didn't realize that there is only a single
versions.lock file for Solr, I would have thought there was a seperate one for
each module.
> Protobuf 3.16.1 compatibility
> -----------------------------
>
> Key: SOLR-15911
> URL: https://issues.apache.org/jira/browse/SOLR-15911
> Project: Solr
> Issue Type: Test
> Reporter: Ivan Viaznikov
> Priority: Major
>
> A vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-22569) was
> discovered that affects protobuf-java. The version `3.11.0` of this library
> comes as a dependency with `org.apache.solr:solr-clustering` and
> `org.apache.solr:solr-analysis-extras`. However, the vulnerability is only
> fixed in versions `3.19.2`, `3.18.2` and `3.16.1`.
> Therefore, requesting you to clarify if any of the fixed versions of
> protobuf-java are compatible with `org.apache.solr:solr-clustering` and
> `org.apache.solr:solr-analysis-extras`
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
