[
https://issues.apache.org/jira/browse/SOLR-17353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18072214#comment-18072214
]
Sujeet Hinge commented on SOLR-17353:
-------------------------------------
Hi [~janhoy] ,
Please find list of recent Critical & High CVE:
|Summary|CVEs|Severity|Jfrog Severity|Type|Provider|Component|Infected
Version|Fix Version|Edited|Component Versions Id|CVSS v2|CVSS v3|Cwe|Id|Is
Source Root|Source Comp Id|Source Id|Component Physical Paths|Applicability|
|A discrepancy between how Go and C/C++ comments were parsed allowed for code
smuggling into the resulting cgo binary.|CVE-2025-61732|High|
|security|JFrog|github.com/golang/go|< 1.24.13,1.25.0-0 ≤ Version <
1.25.7|1.24.13 ≤ Version ≤ 1.24.13,1.25.7 ≤ Version ≤
1.25.7|2026-02-07T19:19:34Z|github.com/golang/go|8.6/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H|CWE-94|XRAY-940266|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|Building a malicious file with cmd/go can cause can cause a write to an
attacker-controlled file with partial control of the file content. The "#cgo
pkg-config:" directive in a Go source file provides command-line arguments to
provide to the Go pkg-config command. An attacker can provide a "--log-file"
argument to this directive, causing pkg-config to write to an
attacker-controlled location.|CVE-2025-61731|High|
|security|JFrog|github.com/golang/go|< 1.24.12,1.25.0 ≤ Version <
1.25.6|1.24.12 ≤ Version ≤ 1.24.12,1.25.6 ≤ Version ≤
1.25.6|2026-01-31T19:23:07Z|github.com/golang/go|7.8/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H|CWE-78|XRAY-937492|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|Calling Decoder.Decode on a message which contains deeply nested structures
can cause a panic due to stack exhaustion. This is a follow-up to
CVE-2022-30635.|CVE-2024-34156|High|Medium|security|JFrog|github.com/golang/go|<
1.22.7,1.23.0-0 ≤ Version < 1.23.1|1.22.7 ≤ Version ≤ 1.22.7,1.23.1 ≤
Version ≤
1.23.1|2026-01-09T19:19:05Z|github.com/golang/go|7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|CWE-674|XRAY-642402|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|Calling Parse on a "// +build" build tag line with deeply nested expressions
can cause a panic due to stack exhaustion.|CVE-2024-34158|High|
|security|JFrog|github.com/golang/go|< 1.22.7,1.23.0-0 ≤ Version <
1.23.1|1.22.7 ≤ Version ≤ 1.22.7,1.23.1 ≤ Version ≤
1.23.1|2026-01-09T19:19:05Z|github.com/golang/go|7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|CWE-674|XRAY-642404|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|Cancelling a query (e.g. by cancelling the context passed to one of the query
methods) during a call to the Scan method of the returned Rows can result in
unexpected results if other queries are being made in parallel. This can result
in a race condition that may overwrite the expected results with those of
another query, causing the call to Scan to return either unexpected results
from the other query or an error.|CVE-2025-47907|High|
|security|JFrog|github.com/golang/go|< 1.23.12,1.24.0 ≤ Version <
1.24.6|1.23.12 ≤ Version ≤ 1.23.12,1.24.6 ≤ Version ≤
1.24.6|2025-08-09T19:19:02Z|github.com/golang/go|7.0/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L|CWE-362|XRAY-713818|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|Due to the design of the name constraint checking algorithm, the processing
time of some inputs scale non-linearly with respect to the size of the
certificate. This affects programs which validate arbitrary certificate
chains.|CVE-2025-58187|High| |security|JFrog|github.com/golang/go|<
1.24.9,1.25.0 ≤ Version < 1.25.2|1.24.9 ≤ Version ≤ 1.24.9,1.25.2 ≤
Version ≤
1.25.2|2025-11-26T19:19:08Z|github.com/golang/go|7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|CWE-407|XRAY-738541|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|During session resumption in crypto/tls, if the underlying Config has its
ClientCAs or RootCAs fields mutated between the initial handshake and the
resumed handshake, the resumed handshake may succeed when it should have
failed. This may happen when a user calls Config.Clone and mutates the returned
Config, or uses Config.GetConfigForClient. This can cause a client to resume a
session with a server that it would not have resumed with during the initial
handshake, or cause a server to resume a session with a client that it would
not have resumed with during the initial
handshake.|CVE-2025-68121|Critical|Medium|security|JFrog|github.com/golang/go|<
1.24.13,1.25.0-0 ≤ Version < 1.25.7,1.26.0-rc.1 ≤ Version <
1.26.0-rc.3|1.24.13 ≤ Version ≤ 1.24.13,1.25.7 ≤ Version ≤
1.25.7,1.26.0-rc.3 ≤ Version ≤
1.26.0-rc.3|2026-04-07T19:19:04Z|github.com/golang/go|10.0/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|CWE-295,CWE-1395|XRAY-940770|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler
exposes a vulnerability when a compressed HTTP request, with Content-Encoding:
gzip, is processed and the corresponding response is not compressed.
This happens because the JDK Inflater is allocated for decompressing the
request, but it is not released because the release mechanism is tied to the
compressed response.
In this case, since the response is not compressed, the release mechanism does
not trigger, causing the leak.|CVE-2026-1605|High|
|security|JFrog|org.eclipse.jetty:jetty-server|12.0.0 ≤ Version ≤
12.0.31,12.1.0 ≤ Version ≤ 12.1.5|12.0.32 ≤ Version ≤ 12.0.32,12.1.6
≤ Version ≤
12.1.6|2026-03-07T19:19:03Z|org.eclipse.jetty:jetty-server|7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|CWE-401,CWE-400|XRAY-949271|FALSE|gav://org.eclipse.jetty:jetty-server:12.0.27|gav://org.eclipse.jetty:jetty-server|sha256__b9423646dd94f6f00b3e0a9afdb7d75b68972535babbf92a409c1a5407d35398.tar.gz/opt/solr-10.0.0/server/lib/ext/jetty-server-12.0.27.jar|Not
Covered|
|Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow
remote attackers to cause denial of service and read adjacent memory via
untrusted compressed input.|CVE-2025-12183|High|
|security|JFrog|org.lz4:lz4-java|<
1.8.1|1.8.1|2025-12-05T19:19:03Z|org.lz4:lz4-java|
|CWE-125|XRAY-900382|FALSE|gav://org.lz4:lz4-java:1.8.0|gav://org.lz4:lz4-java|sha256__b9423646dd94f6f00b3e0a9afdb7d75b68972535babbf92a409c1a5407d35398.tar.gz/opt/solr-10.0.0/modules/cross-dc/lib/lz4-java-1.8.0.jar|Not
Covered|
|The ParseAddress function constructs domain-literal address components through
repeated string concatenation. When parsing large domain-literal components,
this can cause excessive CPU consumption.|CVE-2025-61725|High|
|security|JFrog|github.com/golang/go|< 1.24.8,1.25.0 ≤ Version <
1.25.2|1.24.8 ≤ Version ≤ 1.24.8,1.25.2 ≤ Version ≤
1.25.2|2025-12-11T19:19:03Z|github.com/golang/go|7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|CWE-407|XRAY-738546|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|The go command may execute unexpected commands when operating in untrusted VCS
repositories. This occurs when possibly dangerous VCS configuration is present
in repositories. This can happen when a repository was fetched via one VCS
(e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules
which are retrieved using the go command line, i.e. via "go get", are not
affected.|CVE-2025-4674|High| |security|JFrog|github.com/golang/go|<
1.23.11,1.24.0-0 ≤ Version < 1.24.5|1.23.11 ≤ Version ≤ 1.23.11,1.24.5
≤ Version ≤
1.24.5|2025-08-08T19:19:06Z|github.com/golang/go|8.6/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H|CWE-73|XRAY-712293|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|The net/http HTTP/1.1 client mishandled the case where a server responds to a
request with an "Expect: 100-continue" header with a non-informational (200 or
higher) status. This mishandling could leave a client connection in an invalid
state, where the next request sent on the connection will fail. An attacker
sending a request to a net/http/httputil.ReverseProxy proxy can exploit this
mishandling to cause a denial of service by sending "Expect: 100-continue"
requests which elicit a non-informational response from the backend. Each such
request leaves the proxy with an invalid connection, and causes one subsequent
request using that connection to fail.|CVE-2024-24791|High|
|security|JFrog|github.com/golang/go|< 1.21.12,1.22.0-0 ≤ Version <
1.22.5|1.21.12 ≤ Version ≤ 1.21.12,1.22.5 ≤ Version ≤
1.22.5|2026-01-09T19:19:05Z|github.com/golang/go|7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|XRAY-616759|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|The net/http package improperly accepts a bare LF as a line terminator in
chunked data chunk-size lines. This can permit request smuggling if a net/http
server is used in conjunction with a server that incorrectly accepts a bare LF
as part of a
chunk-ext.|CVE-2025-22871|Critical|Medium|security|JFrog|github.com/golang/go|<
1.23.8,1.24.0-0 ≤ Version < 1.24.2|1.23.8 ≤ Version ≤ 1.23.8,1.24.2 ≤
Version ≤
1.24.2|2025-10-26T19:18:24Z|github.com/golang/go|9.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N|CWE-444,CWE-1395|XRAY-692219|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|The net/url package does not set a limit on the number of query parameters in
a query. While the maximum size of query parameters in URLs is generally
limited by the maximum request header size, the net/http.Request.ParseForm
method can parse large URL-encoded forms. Parsing a large form containing many
unique query parameters can cause excessive memory
consumption.|CVE-2025-61726|High| |security|JFrog|github.com/golang/go|<
1.24.12,1.25.0 ≤ Version < 1.25.6|1.24.12 ≤ Version ≤ 1.24.12,1.25.6 ≤
Version ≤
1.25.6|2026-01-31T19:25:25Z|github.com/golang/go|7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|CWE-400|XRAY-937489|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|The processing time for parsing some invalid inputs scales non-linearly with
respect to the size of the input. This affects programs which parse untrusted
PEM inputs.|CVE-2025-61723|High| |security|JFrog|github.com/golang/go|<
1.24.8,1.25.0 ≤ Version < 1.25.2|1.24.8 ≤ Version ≤ 1.24.8,1.25.2 ≤
Version ≤
1.25.2|2025-11-05T19:19:04Z|github.com/golang/go|7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|CWE-407|XRAY-738544|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected
for IPv4-mapped IPv6 addresses, returning false for addresses which would
return true in their traditional IPv4 forms.|CVE-2024-24790|Critical|
|security|JFrog|github.com/golang/go|< 1.21.11,1.22.0 ≤ Version <
1.22.4|1.21.11 ≤ Version ≤ 1.21.11,1.22.4 ≤ Version ≤
1.22.4|2025-07-20T19:19:27Z|github.com/golang/go|9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H|NVD-CWE-noinfo,CWE-180|XRAY-606108|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|Validating certificate chains which contain DSA public keys can cause programs
to panic, due to a interface cast that assumes they implement the Equal method.
This affects programs which validate arbitrary certificate
chains.|CVE-2025-58188|High| |security|JFrog|github.com/golang/go|<
1.24.8,1.25.0 ≤ Version < 1.25.2|1.24.8 ≤ Version ≤ 1.24.8,1.25.2 ≤
Version ≤
1.25.2|2025-11-01T19:19:05Z|github.com/golang/go|7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|CWE-248|XRAY-738542|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|When verifying a certificate chain which contains a certificate containing
multiple email address constraints which share common local portions but
different domain portions, these constraints will not be properly applied, and
only the last constraint will be considered.|CVE-2026-27137|High|
|security|JFrog|github.com/golang/go|1.26.0-0 ≤ Version <
1.26.1|1.26.1|2026-03-12T19:19:03Z|github.com/golang/go|7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|CWE-295|XRAY-949620|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|Within HostnameError.Error(), when constructing an error string, there is no
limit to the number of hosts that will be printed out. Furthermore, the error
string is constructed by repeated string concatenation, leading to quadratic
runtime. Therefore, a certificate provided by a malicious actor can result in
excessive resource consumption.|CVE-2025-61729|High|
|security|JFrog|github.com/golang/go|< 1.24.11,1.25.0 ≤ Version <
1.25.5|1.24.11 ≤ Version ≤ 1.24.11,1.25.5 ≤ Version ≤
1.25.5|2025-12-04T19:19:19Z|github.com/golang/go|7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|CWE-400|XRAY-900024|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|url.Parse insufficiently validated the host/authority component and accepted
some invalid URLs.|CVE-2026-25679|High| |security|JFrog|github.com/golang/go|<
1.25.8,1.26.0-0 ≤ Version < 1.26.1|1.25.8 ≤ Version ≤ 1.25.8,1.26.1 ≤
Version ≤
1.26.1|2026-03-12T19:19:03Z|github.com/golang/go|7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|CWE-1286|XRAY-949619|FALSE|go://github.com/golang/go:1.22.2|go://github.com/golang/go|sha256__31832fab5a78a2af72d7816e4632a042db0457376c48ccb2f8d26827bbe8009d.tar.gz/usr/sbin/gosu/github.com/golang/go|Not
Covered|
|yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of
the output buffer in Java-based decompressor implementations in lz4-java 1.10.0
and earlier allows remote attackers to read previous buffer contents via
crafted compressed input. In applications where the output buffer is reused
without being cleared, this may lead to disclosure of sensitive data. JNI-based
implementations are not affected. This vulnerability is fixed in
1.10.1.|CVE-2025-66566|High| |security|JFrog|org.lz4:lz4-java|≤
1.8.1|2025-12-07T19:20:28Z|org.lz4:lz4-java|
|CWE-201|XRAY-901520|FALSE|gav://org.lz4:lz4-java:1.8.0|gav://org.lz4:lz4-java|sha256__b9423646dd94f6f00b3e0a9afdb7d75b68972535babbf92a409c1a5407d35398.tar.gz/opt/solr-10.0.0/modules/cross-dc/lib/lz4-java-1.8.0.jar|Not
Covered|
> Upgrade gosu in Dockerfile to 1.19 to reduce CVE for GoLang and Ubuntu
> ----------------------------------------------------------------------
>
> Key: SOLR-17353
> URL: https://issues.apache.org/jira/browse/SOLR-17353
> Project: Solr
> Issue Type: Bug
> Components: security
> Affects Versions: 9.6
> Reporter: Sujeet Hinge
> Assignee: Jan Høydahl
> Priority: Blocker
> Labels: pull-request-available
> Fix For: 10.1
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> During our recent security assessments, we have identified several
> vulnerabilities in the SOLR 9.6.0 package related to Golang and Ubuntu
> components. Given the potential risk to our systems, we are reaching out for
> your expertise and support in addressing these issues promptly.
> *Ubuntu Vulnerabilities:*
> · CVE-2024-33599
> · CVE-2024-2236
> · CVE-2024-33600
> · CVE-2024-26462
> · CVE-2024-22916
> · CVE-2024-31879
> *Golang Vulnerabilities in SOLR 9.6.0:*
> · CVE-2023-29402
> · CVE-2023-24538
> · CVE-2022-23806
> · CVE-2021-38297
> · CVE-2023-29405
> · CVE-2023-29404
> · CVE-2023-24540
> · CVE-2023-39323
> · CVE-2022-30633
> · CVE-2023-24534
> · CVE-2022-29804
> · CVE-2022-30630
> · CVE-2023-24539
> · CVE-2022-2880
> · CVE-2023-45285
> · CVE-2021-41771
> · CVE-2023-45287
> · CVE-2022-30631
> · CVE-2022-23772
> The component impacted includes the Golang library with the hash {{{}sha256
> 51611cdb452a872da14c789533d5aa5208d025f7d940c4367d140ca3b5e66d07{}}}. We
> urgently need to understand the potential patches or mitigation strategies
> you recommend, and the timeline for when these might be implemented in SOLR.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
