Alex Johnston created SOLR-16060:
------------------------------------

             Summary: Clarify version lifecycle
                 Key: SOLR-16060
                 URL: https://issues.apache.org/jira/browse/SOLR-16060
             Project: Solr
          Issue Type: Improvement
      Security Level: Public (Default Security Level. Issues are Public)
          Components: documentation
    Affects Versions: 7.7.3
            Reporter: Alex Johnston
         Attachments: image-2022-02-28-15-42-49-391.png

The official downloads page is ambiguous regarding what versions of Solr are 
currently supported.

!image-2022-02-28-15-42-49-391.png|width=374,height=136!

In this section it lists
{quote}
|7.7.x Previous major version may sometimes receive critical bugfix releases|
{quote}
and 
{quote}
|<7.7|All older versions are End Of Life (EOL)|
{quote}
This implies version 7.7.x is _not_ end of life and < 7.7 is specifically 
listed as end of life.

The statement 'may sometimes receive critical bugfix releases' for 7.7.x would 
suggest it would receive critical bugfix releases, of all critical bugfix 
releases I would've thought security were the most critical.

Higher on the page it is specified:
{quote}*WARNING: The 7.7.3 release is not patched for [the latest known 
security vulnerabilities|https://solr.apache.org/security.html], and it is 
still uncertain whether a 7.7.4 release will happen, as 9.0 is currently being 
planned. New users should choose Solr 8.11.1, and existing 7.7.3 users should 
either upgrade or take actions to mitigate relevant vulnerabilities.*
{quote}
Considering the amount of time that has passed since Log4shell I presume it is 
safe to say 7.7.4 is not coming.

>From a normal standpoint this is {_}fine{_}, but I believe from a compliance 
>stand point it does not make sense for 7.7.x not to be listed as EOL if it 
>does not receive critical security fixes in a timely fashion. In our case we 
>are in somewhat of a limbo situation where a major compliance action is taking 
>place and a vulnerability is present but the software being run is that latest 
>version and still being supported.

We have mitigation in place while we're moving to Solr 8, but the simple 
presence of the vulnerability is adding a significant amount of overhead. It 
would be preferable simply list it as EOL. 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to