You need to manage your risk in that case -- Which is worse? a potential log4j vulnerability, your own "hacked" solr war, deploying a pre-release, or delaying the prod rollout?
Will your security scan team allow you to give a mitigation plan and a timeline for a prod upgrade? On Thu, Mar 24, 2022 at 8:33 AM Heller, George A III CTR (USA) <george.a.heller2....@mail.mil.invalid> wrote: > What happens if we need to deploy to production before 8.11.2 is released? > > -----Original Message----- > From: Houston Putman <hous...@apache.org> > Sent: Wednesday, March 23, 2022 7:15 PM > To: users@solr.apache.org > Subject: [URL Verdict: Neutral][Non-DoD Source] Re: Solr 8.11.1 upgrading > LOG4J from 2.16 to 2.17 > > All active links contained in this email were disabled. Please verify the > identity of the sender, and confirm the authenticity of all links contained > within the message prior to copying and pasting the address to a Web > browser. > > > > > ---- > > Please do not create another JIRA, it is already committed, just waiting > on the 8.11.2 release. > > Caution-https://issues.apache.org/jira/browse/SOLR-15871 > > The suggestion across multiple threads in the users list has been to > remove the log4j jar, and replace it with the 2.17.1 jar, which will pass > security checks. > > On Wed, Mar 23, 2022 at 5:53 PM Ishan Chattopadhyaya < > ichattopadhy...@gmail.com> wrote: > > > And feel free to open a new JIRA for this log4j upgrade, it will get > > picked up in 8.11.2 (whenever someone gets time to release it). > > > > On Thu, Mar 24, 2022 at 3:18 AM Ishan Chattopadhyaya < > > ichattopadhy...@gmail.com> wrote: > > > > > Here's the issue where Log4J was upgraded. You can look at the pull > > > request there to find out what you need to change. After that, you > > > can build your own Solr binaries for your use (fix in > > > github.com/apache/lucene-solr's branch_8_11 and build using "ant > > > ivy-bootstrap; cd solr; ant package" which will generate a .tgz file). > > > Caution-https://issues.apache.org/jira/browse/SOLR-15843 > > > > > > On Thu, Mar 24, 2022 at 12:42 AM Andy Lester <a...@petdance.com> > wrote: > > > > > >> Go to the Caution-https://solr.apache.org/security.html URL and you > > >> will find instructions there on what to do. > > >> > > >> Andy > > > > > > > > >
