[jira] [Commented] (SOLR-17353) Upgrade gosu in Dockerfile to 1.19 to reduce CVE for GoLang and Ubuntu

Thu, 09 Apr 2026 03:11:06 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-17353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18072227#comment-18072227
 ] 

Jan Høydahl commented on SOLR-17353:
------------------------------------

[~sujeet-hinge] No need to add this wall of text, you can always see the scan 
result of all our images at 
[https://hub.docker.com/layers/library/solr/10.0.0/images/sha256-53dbd92268eebb331acadcc321ea9af46325bf7dee4a0fae494f8412ad48149a]

And it is not realistic to get to zero as there will always crop up new ones, 
most of them false positives in context of solr.

I'm in fact considering whether the right action here is to simply remove gosu 
from our image...

> Upgrade gosu in Dockerfile to 1.19 to reduce CVE for GoLang and Ubuntu
> ----------------------------------------------------------------------
>
>                 Key: SOLR-17353
>                 URL: https://issues.apache.org/jira/browse/SOLR-17353
>             Project: Solr
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 9.6
>            Reporter: Sujeet Hinge
>            Assignee: Jan Høydahl
>            Priority: Blocker
>              Labels: pull-request-available
>             Fix For: 10.1
>
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> During our recent security assessments, we have identified several 
> vulnerabilities in the SOLR 9.6.0 package related to Golang and Ubuntu 
> components. Given the potential risk to our systems, we are reaching out for 
> your expertise and support in addressing these issues promptly.
> *Ubuntu Vulnerabilities:*
> ·  CVE-2024-33599
> ·  CVE-2024-2236
> ·  CVE-2024-33600
> ·  CVE-2024-26462
> ·  CVE-2024-22916
> ·  CVE-2024-31879
> *Golang Vulnerabilities in SOLR 9.6.0:*
> ·  CVE-2023-29402
> ·  CVE-2023-24538
> ·  CVE-2022-23806
> ·  CVE-2021-38297
> ·  CVE-2023-29405
> ·  CVE-2023-29404
> ·  CVE-2023-24540
> ·  CVE-2023-39323
> ·  CVE-2022-30633
> ·  CVE-2023-24534
> ·  CVE-2022-29804
> ·  CVE-2022-30630
> ·  CVE-2023-24539
> ·  CVE-2022-2880
> ·  CVE-2023-45285
> ·  CVE-2021-41771
> ·  CVE-2023-45287
> ·  CVE-2022-30631
> ·  CVE-2022-23772
> The component impacted includes the Golang library with the hash {{{}sha256 
> 51611cdb452a872da14c789533d5aa5208d025f7d940c4367d140ca3b5e66d07{}}}. We 
> urgently need to understand the potential patches or mitigation strategies 
> you recommend, and the timeline for when these might be implemented in SOLR.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to