More specifically: SOLR-16443: Upgrade Jackson bom to 2.13.4.20221013 (#1106) SOLR-16568: Update FasterXML Woodstox to 6.4.0 (#1209) I will push those cherry-picks tonight after my local build succeeds.
And I created a new JIRA issue for Protobuf: https://issues.apache.org/jira/browse/SOLR-16598 which should be trivial. Interestingly we're at a good version on main & branch_9x but it was accidental / indirect. It's not appropriate to cherry pick the accidental / indirect changes that lead to the CVE fix, as I think we're likely to remedy that specific circumstance, thus going back to a vulnerable version in main. ~ David Smiley Apache Lucene/Solr Search Developer http://www.linkedin.com/in/davidwsmiley On Fri, Dec 23, 2022 at 8:16 AM David Smiley <dsmi...@apache.org> wrote: > Thanks for volunteering! > > I'd like to propose that the upgrades to dependencies due to CVEs be > back-ported to 9.1.1. I can help with this. One example I see is > woodstox-core. > > ~ David Smiley > Apache Lucene/Solr Search Developer > http://www.linkedin.com/in/davidwsmiley > > > On Thu, Dec 22, 2022 at 9:45 AM Michael Gibney <mich...@michaelgibney.net> > wrote: > >> I'd like to get the ball rolling on a 9.1.1 bugfix release, and >> volunteer to be release manager. There aren't very many bugfixes >> accumulated since 9.1.0 on `branch_9_1`, but SOLR-16585 in particular >> (NPE on MatchAllDocs pagination) should be fixed asap. >> >> I'm thinking to build a release candidate as early as possible in the new >> year. >> >> Are there any outstanding bugfixes that anyone would like to backport >> to `branch_9_1` before preparing the release? >> >> Michael >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org >> For additional commands, e-mail: dev-h...@solr.apache.org >> >>