[jira] [Commented] (SOLR-17353) CVE for GoLang and Ubuntu

Thu, 09 Apr 2026 01:24:06 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-17353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18072199#comment-18072199
 ] 

Jan Høydahl commented on SOLR-17353:
------------------------------------

Hi [~sujeet-hinge] . I have decided to re-open this JIRA. Turns out that it is 
more involved than I thought.

Gosu binary links go libraries statically, so it won't help if Ubuntu upgrades 
go.

So for gosu to be updated in Ubuntu, they need to either include a newer 
version of it, which they tend to be reluctant to do in LTS releases, and they 
are super slow at re-building such tools on newer go versions, even if they 
some times do.

 

So I'll open a PR which does almost what your PR did, but a bit more involved:
 * Install a version of gosu as dictated by an ARG statement, as well as it's 
.asc file
 * Download author's GPG key and validate the signature

> CVE for GoLang and Ubuntu
> -------------------------
>
>                 Key: SOLR-17353
>                 URL: https://issues.apache.org/jira/browse/SOLR-17353
>             Project: Solr
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 9.6
>            Reporter: Sujeet Hinge
>            Assignee: Jan Høydahl
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> During our recent security assessments, we have identified several 
> vulnerabilities in the SOLR 9.6.0 package related to Golang and Ubuntu 
> components. Given the potential risk to our systems, we are reaching out for 
> your expertise and support in addressing these issues promptly.
> *Ubuntu Vulnerabilities:*
> ·  CVE-2024-33599
> ·  CVE-2024-2236
> ·  CVE-2024-33600
> ·  CVE-2024-26462
> ·  CVE-2024-22916
> ·  CVE-2024-31879
> *Golang Vulnerabilities in SOLR 9.6.0:*
> ·  CVE-2023-29402
> ·  CVE-2023-24538
> ·  CVE-2022-23806
> ·  CVE-2021-38297
> ·  CVE-2023-29405
> ·  CVE-2023-29404
> ·  CVE-2023-24540
> ·  CVE-2023-39323
> ·  CVE-2022-30633
> ·  CVE-2023-24534
> ·  CVE-2022-29804
> ·  CVE-2022-30630
> ·  CVE-2023-24539
> ·  CVE-2022-2880
> ·  CVE-2023-45285
> ·  CVE-2021-41771
> ·  CVE-2023-45287
> ·  CVE-2022-30631
> ·  CVE-2022-23772
> The component impacted includes the Golang library with the hash {{{}sha256 
> 51611cdb452a872da14c789533d5aa5208d025f7d940c4367d140ca3b5e66d07{}}}. We 
> urgently need to understand the potential patches or mitigation strategies 
> you recommend, and the timeline for when these might be implemented in SOLR.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to