[jira] [Updated] (SOLR-16568) Update woodstox-core to 6.4.0 to mitigate CVE-2022-40152

Wed, 07 Dec 2022 11:19:04 -0800 


     [ 
https://issues.apache.org/jira/browse/SOLR-16568?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kevin Risden updated SOLR-16568:
--------------------------------
    Description: 
This was brought up on the mailing list here: 
https://lists.apache.org/thread/psc4r75o933y22jos4xk5rcwhof48sdw

The automatically created CVEs against xstream are misleading and read the 
thread above to try to find out more. Its not clear which CVEs if any are 
actually valid.

The only one that looks still valid against woodstox-core is 
https://github.com/advisories/GHSA-3f7h-mf4q-vrm4

----

Our container scan detects woodstox 6.2.8 

/opt/bitnami/solr/server/solr-webapp/webapp/WEB-INF/lib/woodstox-core-6.2.8.jar

  was:
This was brought up on the mailing list here: 
https://lists.apache.org/thread/psc4r75o933y22jos4xk5rcwhof48sdw

The automatically created CVEs against xstream are misleading and read the 
thread above to try to find out more. Its not clear which CVEs if any are 
actually valid.

----

Our container scan detects woodstox 6.2.8 

/opt/bitnami/solr/server/solr-webapp/webapp/WEB-INF/lib/woodstox-core-6.2.8.jar


> Update woodstox-core to 6.4.0 to mitigate CVE-2022-40152
> --------------------------------------------------------
>
>                 Key: SOLR-16568
>                 URL: https://issues.apache.org/jira/browse/SOLR-16568
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 9.1
>            Reporter: Bill Kidwell
>            Assignee: Kevin Risden
>            Priority: Major
>              Labels: security
>             Fix For: main (10.0)
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> This was brought up on the mailing list here: 
> https://lists.apache.org/thread/psc4r75o933y22jos4xk5rcwhof48sdw
> The automatically created CVEs against xstream are misleading and read the 
> thread above to try to find out more. Its not clear which CVEs if any are 
> actually valid.
> The only one that looks still valid against woodstox-core is 
> https://github.com/advisories/GHSA-3f7h-mf4q-vrm4
> ----
> Our container scan detects woodstox 6.2.8 
> /opt/bitnami/solr/server/solr-webapp/webapp/WEB-INF/lib/woodstox-core-6.2.8.jar



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to