Sure , taking a first stab at it !
Will reach out on slack if I get stuck, Thanks !

On Wed, Jun 17, 2026 at 7:56 PM Richard Zowalla <[email protected]> wrote:

> The only thing open is doing the release:
> https://opennlp.apache.org/release.html
>
> Feel free to run your first one :)
>
> > Am 17.06.2026 um 16:18 schrieb Atita Arora <[email protected]>:
> >
> > If it helps , I can try to help as I have seen a bit of both codebases.
> > What are the next steps?
> >
> >
> > On Wed, 17 Jun 2026, 15:02 Eric Pugh, <[email protected]>
> > wrote:
> >
> >> I just created three VEX files for these three vulnerabilities for the
> >> Solr website: https://github.com/apache/solr-site/pull/192
> >>
> >> I’ll update the mitigation steps once 1.9.5 comes out!
> >>
> >>
> >>
> >>> On Jun 12, 2026, at 11:31 AM, Eric Pugh <
> [email protected]>
> >> wrote:
> >>>
> >>> Just looked at the branch, and thank you for doing the back port!
> >> Looking at the code, it would have taken me a week of work just do those
> >> back ports!
> >>>
> >>>> On Jun 12, 2026, at 10:52 AM, Richard Zowalla <[email protected]>
> wrote:
> >>>>
> >>>> So Martin merged all the stuff to 1.x - any volunteer to run the
> >> release?
> >>>>
> >>>>> Am 12.06.2026 um 16:24 schrieb Richard Zowalla <[email protected]>:
> >>>>>
> >>>>> Everything in question should now either be on opennlp-1.x branch or
> >> open as a PR ;-)
> >>>>>
> >>>>>> Am 12.06.2026 um 15:59 schrieb Martin Wiesner <[email protected]
> >:
> >>>>>>
> >>>>>> Hi all,
> >>>>>>
> >>>>>> I’ve just pushed a new 'opennlp-1.x‘ maintenance branch. It contains
> >> most of the (transient) dep updates as identified by Richard, see below.
> >>>>>> Moreover, it has a fix for OPENNLP-1826 which I could easily
> >> cherry-pick from 2.x maintenance branch.
> >>>>>>
> >>>>>> Rn, 1819, 1820 and 1821 require a deeper look and more work to be
> >> integrated. The delta is just to big to for easy cherries here.
> >>>>>>
> >>>>>> @ #3: Yes - should be conducted by PMC members.
> >>>>>> @ #4: I’d like to add, we should declare 1.x EOL, once and if we get
> >> an 1.9.5 (last) release out.
> >>>>>>
> >>>>>> Best
> >>>>>> Martin
> >>>>>>
> >>>>>>> Am 12.06.2026 um 15:15 schrieb Richard Zowalla <[email protected]>:
> >>>>>>>
> >>>>>>> From what I can see after c88f57814c0af0dccf471b895a35981ecdac2e7a
> >> - the work would be
> >>>>>>>
> >>>>>>> 1. Cherry pick or port the CVE fixes from 2.x into that branch.
> >> This would be (according to Martin - thx btw): OPENNLP-1819, 1820, 1821
> and
> >> 1826 (best case)
> >>>>>>> 2. Fix the transient CVEs (all in brat annotator)
> >>>>>>>
> >>>>>>> Dependency: com.fasterxml.jackson.core:jackson-databind
> >>>>>>> Current: 2.10.1
> >>>>>>> Issue: Long list of deserialization/DoS CVEs: CVE-2020-25649 (XXE),
> >> CVE-2020-36179/36180/36181/36182 + 2021-20190
> >>>>>>> (polymorphic
> >>>>>>> deser gadgets), CVE-2022-42003 / CVE-2022-42004 (DoS)
> >>>>>>> Fix to: ≥ 2.12.7.1 <http://2.12.7.1> (min) — better a current
> >> 2.18.x
> >>>>>>> ────────────────────────────────────────
> >>>>>>> Dependency: jackson-core / jackson-annotations
> >>>>>>> Current: 2.10.1
> >>>>>>> Issue: Keep in lockstep with databind (BOM)
> >>>>>>> Fix to: same train as databind
> >>>>>>> ────────────────────────────────────────
> >>>>>>> Dependency: org.glassfish.jersey.* (common, client, server,
> >> container-grizzly2, media-json-jackson, media-jaxb,
> >>>>>>> entity-filtering)
> >>>>>>> Current: 2.30.1
> >>>>>>> Issue: CVE-2021-28168 — local info disclosure via world‑readable
> >> temp file in jersey-common (affects 2.28–2.33)
> >>>>>>> Fix to: ≥ 2.34; for Java‑8 safety use 2.35
> >>>>>>> ────────────────────────────────────────
> >>>>>>> Dependency: org.glassfish.grizzly:grizzly-http-server / -http /
> >> -framework
> >>>>>>> Current: 2.4.4 (2018)
> >>>>>>> Issue: No single high CVE pinned to 2.4.4, but very stale; HTTP
> >> request-smuggling hardening landed in later 2.4.x. Pulled in
> >>>>>>> transitively by Jersey
> >>>>>>> Fix to: comes free when Jersey is bumped (2.35 → grizzly 2.4.4
> >> still; 2.40+ ships newer grizzly)
> >>>>>>>
> >>>>>>> 3. After a release: Talk with ASF Security to alter the published
> >> CVEs to include the new release as fix version (as I guess this effort
> is
> >> mostly driven by static CVE scanners blaming openlp right now).
> >>>>>>> 4. Decide in OpenNLP if and how many release lines we are willing
> >> to handle as a PMC.
> >>>>>>>
> >>>>>>> Gruß
> >>>>>>> Richard
> >>>>>>>
> >>>>>>>> Am 09.06.2026 um 22:00 schrieb Richard Zowalla <[email protected]>:
> >>>>>>>>
> >>>>>>>> As written: I dont mind if we do a release (as long as I am not
> >> the person doing it).
> >>>>>>>> Aisde from the back ports, it might also need dependency updates
> >> as well
> >>>>>>>>
> >>>>>>>>> Am 09.06.2026 um 14:42 schrieb Jeff Zemerick <
> >> [email protected]>:
> >>>>>>>>>
> >>>>>>>>> Yes, thanks Eric and Suneel - Lucene/Solr 9.
> >>>>>>>>>
> >>>>>>>>> Thanks,
> >>>>>>>>> Jeff
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On Mon, Jun 8, 2026 at 11:54 AM Suneel Marthi <
> [email protected]>
> >> wrote:
> >>>>>>>>>>
> >>>>>>>>>> concur with Eric - it's {Lucene, Solr} - 9x.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> सोम, 8 जून 2026 को 11:19 am बजे को Eric Pugh <
> >>>>>>>>>> [email protected]> ने लिखा:
> >>>>>>>>>>
> >>>>>>>>>>> I think Jeff meant to say Lucene 9 (and Solr 9)!
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>> On Jun 8, 2026, at 10:40 AM, Richard Zowalla <
> >> [email protected]>
> >>>>>>>>>>> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> No, OpenNLP is used in Lucene.
> >>>>>>>>>>>>
> >>>>>>>>>>>>> Am 08.06.2026 um 16:29 schrieb Suneel Marthi <
> >> [email protected]
> >>>>>>>>>>>> :
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Do we now have a Lucene/Solr dependency in OpenNLP ? or am I
> >> reading
> >>>>>>>>>>>>> this wrong?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> सोम, 8 जून 2026 को 10:26 am बजे को Richard Zowalla <
> >> [email protected]>
> >>>>>>>>>>> ने
> >>>>>>>>>>>>> लिखा:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> Hi all,
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> This page lists Lucene 8 as EOL:
> >> https://endoflife.date/apache-lucene <
> https://endoflife.date/apache-lucene
> >>>
> >>>>>>>>>>> <https://endoflife.date/apache-lucene <
> >> https://endoflife.date/apache-lucene>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> And what I found here from SOLR is:
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> "With Lucene 10 having been released, and therefore Lucene 8
> >> reaching
> >>>>>>>>>>> EOL,
> >>>>>>>>>>>>>> the Apache Lucene and Solr PMCs are no longer able to
> >> provide new
> >>>>>>>>>>> releases
> >>>>>>>>>>>>>> for Solr 8. Solr 8.11.4 will be the last release of Solr 8.“
> >>>>>>>>>>>>>> Cf.
> >> https://solr.apache.org/news.html#solr-8-reaches-end-of-life <
> >> https://solr.apache.org/news.html#solr-8-reaches-end-of-life> <
> >>>>>>>>>>> https://solr.apache.org/news.html#solr-8-reaches-end-of-life <
> >> https://solr.apache.org/news.html#solr-8-reaches-end-of-life>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Couldn’t find any authoritative source from the Lucene PMC
> >> regarding
> >>>>>>>>>>> only
> >>>>>>>>>>>>>> maintaining 2 release lines, but the Solr posted the above.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> In general: No objections from my side, but the last 8.11.x
> >> release of
> >>>>>>>>>>>>>> Lucene was done 2 years ago - so IMHO there should be a
> >> clear release
> >>>>>>>>>>> plan
> >>>>>>>>>>>>>> on their side, if we make the extra round-trip...
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Gruß
> >>>>>>>>>>>>>> Richard
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Am 08.06.2026 um 14:43 schrieb Jeff Zemerick <
> >> [email protected]
> >>>>>>>>>>>> :
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Hi all,
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> About a month ago we had a few CVEs get addressed. (Thanks
> >> to those
> >>>>>>>>>>>>>>> who took care of them.) Those fixes went into the 2.x
> >> branch and for
> >>>>>>>>>>>>>>> 3.0.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> At least one of those CVEs affects 1.9.x. Normally, I don't
> >> think I
> >>>>>>>>>>>>>>> would worry about it, but in this case, Apache Lucene
> >> depends on
> >>>>>>>>>>>>>>> 1.9.x, and Lucene is still doing releases on that version
> >> (8.11),
> >>>>>>>>>>>>>>> which is used by Solr 8.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> What are everyone's thoughts on doing a 1.9.5 release to
> >> address, in
> >>>>>>>>>>>>>>> particular, OPENNLP-1820
> >>>>>>>>>>>>>>> (https://issues.apache.org/jira/browse/OPENNLP-1820 <
> >> https://issues.apache.org/jira/browse/OPENNLP-1820> <
> >>>>>>>>>>> https://issues.apache.org/jira/browse/OPENNLP-1820 <
> >> https://issues.apache.org/jira/browse/OPENNLP-1820>>) and then making a
> >>>>>>>>>>>>>>> PR to get 1.9.5 into Lucene (and then downstream into
> Solr)?
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Thanks,
> >>>>>>>>>>>>>>> Jeff
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> Disclaimer
> >>>>>>>>>>>
> >>>>>>>>>>> The information contained in this communication from the sender
> >> is
> >>>>>>>>>>> confidential. It is intended solely for use by the recipient
> >> and others
> >>>>>>>>>>> authorized to receive it. If you are not the recipient, you are
> >> hereby
> >>>>>>>>>>> notified that any disclosure, copying, distribution or taking
> >> action in
> >>>>>>>>>>> relation of the contents of this information is strictly
> >> prohibited and may
> >>>>>>>>>>> be unlawful.
> >>>>>>>>>>>
> >>>>>>>>>>> This email has been scanned for viruses and malware, and may
> >> have been
> >>>>>>>>>>> automatically archived by Mimecast, a leader in email security
> >> and cyber
> >>>>>>>>>>> resilience. Mimecast integrates email defenses with brand
> >> protection,
> >>>>>>>>>>> security awareness training, web security, compliance and other
> >> essential
> >>>>>>>>>>> capabilities. Mimecast helps protect large and small
> >> organizations from
> >>>>>>>>>>> malicious activity, human error and technology failure; and to
> >> lead the
> >>>>>>>>>>> movement toward building a more resilient world. To find out
> >> more, visit
> >>>>>>>>>>> our website.
> >>>>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>
> >>
> >> Disclaimer
> >>
> >> The information contained in this communication from the sender is
> >> confidential. It is intended solely for use by the recipient and others
> >> authorized to receive it. If you are not the recipient, you are hereby
> >> notified that any disclosure, copying, distribution or taking action in
> >> relation of the contents of this information is strictly prohibited and
> may
> >> be unlawful.
> >>
> >> This email has been scanned for viruses and malware, and may have been
> >> automatically archived by Mimecast, a leader in email security and cyber
> >> resilience. Mimecast integrates email defenses with brand protection,
> >> security awareness training, web security, compliance and other
> essential
> >> capabilities. Mimecast helps protect large and small organizations from
> >> malicious activity, human error and technology failure; and to lead the
> >> movement toward building a more resilient world. To find out more, visit
> >> our website.
> >>
>
>

Reply via email to