[
https://issues.apache.org/jira/browse/SOLR-18013?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jota Martos updated SOLR-18013:
-------------------------------
Affects Version/s: 9.10
(was: 9.10.1)
> Upgrade lz4 jar to fix CVE-2025-12183 and CVE-2025-66566
> --------------------------------------------------------
>
> Key: SOLR-18013
> URL: https://issues.apache.org/jira/browse/SOLR-18013
> Project: Solr
> Issue Type: Improvement
> Affects Versions: 9.10
> Reporter: Jota Martos
> Priority: Major
>
> CVE ID: CVE-2025-12183
> Affected solr Version: 9.10.0
> Vulnerable Dependency: lz4 1.8.0
> Impact: Various lz4-java compression and decompression implementations do not
> guard against out-of-bounds memory access. Untrusted input may lead to denial
> of service and information disclosure.
> Context: The official lz4-java project has been discontinued. A community
> fork is available [here|https://github.com/yawkat/lz4-java]. To address
> [CVE-2025-12183|https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183],
> Sonatype has added a redirect from org.lz4:lz4-java:1.8.1 to the new group
> ID.
> Fix : This is fixed in at.yawk.lz4:lz4-java:1.8.1
> CVE ID: CVE-2025-66566
> Affected solr Version: 9.10.0
> Vulnerable Dependency: lz4 1.8.0
> Impact: Insufficient clearing of the output buffer in Java-based decompressor
> implementations in lz4-java 1.10.0 and earlier allows remote attackers to
> read previous buffer contents via crafted compressed input. In applications
> where the output buffer is reused without being cleared, this may lead to
> disclosure of sensitive data.
> Fix : This is fixed in at.yawk.lz4:lz4-java:1.10.1
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
