On 12/21/21 2:18 PM, Gus Heck wrote:
For what it's worth, I'm seeing IT depts not wanting to track exceptions to the rule (such as solr) and requiring the library upgrades period.
Earlier today I tried a jar upgrade from 2.11.0 to 2.17.0 on Solr 7.5.0. It was successful. I made sure that the admin UI logging tab still worked, by asking Solr to do a query that returned an error response.
Just now, I tried the same with Solr 7.4.0, which includes log4j 2.11.0 just like 7.5.0 does. That worked too.
When this problem first surfaced, I upgraded log4j on my own install of Solr 8.11.0 from 7.14.1 and it still works. I have seen a report from someone saying that they upgraded from 2.13.0 and that also worked. I don't recall the Solr version they had.
So nice that the log4j team has kept the API stable, so any vulnerable Solr version can simply replace the log4j jars with a newer version and know that they have fixed the problem.
Would there be any interest in a script to automate the upgrade process? Would also need to see if there is a secure way to validate file hashes.
Thanks, Shawn --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
