> But I think that means we need to backport ALL known CVE issues that affects 6.x, is that your plan? That's a good point. Wasn't originally my plan, but I can port as many CVEs that I reasonably can. :-)
I'm also now wondering if upgrading Tika and others in a bugfix release is a good idea. My thought is that if a user is stuck with 6x, these CVE fixes will help a lot. Hence, it makes sense to me to try to upgrade these components. On Mon, Mar 18, 2019 at 12:49 PM Jan Høydahl <[email protected]> wrote: > Ok for me. But I think that means we need to backport ALL known CVE issues > that affects 6.x, is that your plan? > I'm not sure if we are also expected (by ASF) to upgrade dependencies with > known vulnerabilities, e.g. Tika, commons-xxx etc, do you know? > > -- > Jan Høydahl, search solution architect > Cominvent AS - www.cominvent.com > > 18. mar. 2019 kl. 08:08 skrev Ishan Chattopadhyaya < > [email protected]>: > > Hi, > There is a severe memory leak bug, > https://issues.apache.org/jira/browse/SOLR-10506, that didn't make it to > the 6x branch at the time of its resolution. > > I propose a 6.6.6 release with that fix (and any others that might be low > hanging, high severity issues). I am volunteering to be the RM for this. > Please let me know if there are any thoughts or objections. > Regards, > Ishan > > Disclaimer: I am primarily interested in this release upon the request of > one of my clients who are impacted by this bug, and I'm proposing to do > this release on their request. > > >
