In case anyone wants to patch 7.7.3 from source, here's a patch and
quick build instructions:
Apply the attached patch -- hopefully the mailing list won't nerf the
attachment.
git am < /path/to/CVE-2021-4422.txt
ant clean compile jar -Dversion=7.7.3
cd solr
ant package -Dversion=7.7.3
- Bram
From: Bram <bram.van...@intix.eu>
Date: Fri, 10 Dec 2021 13:44:29 +0100
Subject: [PATCH] CVE-2021-44228 Critical security issue in Log4J
---
lucene/ivy-versions.properties | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/lucene/ivy-versions.properties b/lucene/ivy-versions.properties
index 1c6be1ebf13..a8eca1a18ae 100644
--- a/lucene/ivy-versions.properties
+++ b/lucene/ivy-versions.properties
@@ -178,7 +178,7 @@ org.apache.james.apache.mime4j.version = 0.8.2
/org.apache.james/apache-mime4j-core =
${org.apache.james.apache.mime4j.version}
/org.apache.james/apache-mime4j-dom = ${org.apache.james.apache.mime4j.version}
-org.apache.logging.log4j.version = 2.11.0
+org.apache.logging.log4j.version = 2.15.0
/org.apache.logging.log4j/log4j-1.2-api = ${org.apache.logging.log4j.version}
/org.apache.logging.log4j/log4j-api = ${org.apache.logging.log4j.version}
/org.apache.logging.log4j/log4j-core = ${org.apache.logging.log4j.version}
--
2.31.1
