ppkarwasz commented on code in PR #195: URL: https://github.com/apache/solr-site/pull/195#discussion_r3436546310
########## content/solr/vex/2026-04-10-cve-2026-34477.md: ########## @@ -0,0 +1,44 @@ +--- +cve: CVE-2026-34477 +jira: SOLR-18288 +category: + - solr/vex +versions: "9.10.1, 10.0.0" Review Comment: The `versions` field is only displayed in the HTML version. We have still to figure out how to properly encode it in a VEX file. For example the [OpenVEX specification](https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md) would require us to give the precise version of the product in each statement. I don't think we need to mention explicitly which version of Log4j is included in Apache Solr 9.10.1 and 10.0.0, that field is also for the HTML version, so users can find the vulnerable JAR. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
