Hi Razvan, Have you looked at https://solr.apache.org/security.html yet? Some of the CVE's in your list are already listed there. If you could eliminate the CVE's from your list that are already dealt with on that page then you might get more attention. As it stands, you seem to be asking us to do that work for you.
Please note that there are two tables on that page, and one is near the bottom. This is something I realize perhaps could be made clearer with a table of contents or something. Another thing to note is that in order for an actual vulnerability to exist, the dependency must be used in the ways described in the CVE. I notice you have many Jackson CVE's in your list and there are a large number of Jackson CVE's that relate to features Solr does not use, and therefore do not pose a threat. This is explained in the second table near the bottom. Let us know if you have found something not listed on that page (ctrl-f find in your browser on the page for the CVE identifier may be quite useful), or if you have questions about a specific explanation offered on that page. Best, Gus On Wed, Feb 15, 2023 at 12:20 PM Andy Lester <a...@petdance.com> wrote: > > Any news on this? > > > > We know some of them are covered in > https://solr.apache.org/security.html#cve-reports-for-apache-solr-dependencies > but not all. > > We have also seen the > https://lists.apache.org/thread/539bkq8r11msjpl3yo1ssvy77kmdrps7 > > Can we have a resolution for the above? > > > What sort of resolution are you looking for? -- http://www.needhamsoftware.com (work) http://www.the111shift.com (play)
