On 4/14/2022 6:14 PM, Shawn Heisey wrote:
If you need to check a compliance box saying you dealt with a
nonexistent vulnerability, just replace the jars as I already said.
If you want to get really adventurous, you could clone the git repo,
check out branch_8_11, and build it yourself. That build would include
log4j 2.17.1.
Here's a transcript of a full build session on Ubuntu Linux:
https://paste.elyograg.org/view/ed0f1b1e
The required steps are found in the first 33 lines. The remaining 43000
lines is the whole build.
You will need Ant and a Java JDK. I know that openjdk-8 and openjdk-11
work. The build will likely not work on Windows. Some kind of *NIX
will probably be required.
On RPM-based distros like RHEL and CentOS, you'll probably have problems
with the packaged ant. I know how to fix those if you need it.
If you follow those instructions and the build succeeds, the package
files will be the following, relative to the top level of the git
clone. These work exactly like what you can download from
solr.apache.org, except most everything has "-SNAPSHOT" in the filenames:
solr/package/solr-8.11.2-SNAPSHOT.tgz
solr/package/solr-8.11.2-SNAPSHOT.zip
Thanks,
Shawn
