Hi,
in our project, we're checking JAR dependencies with the OWASP
dependency check [1] for security issues for which CVEs have been reported.
There are CVEs for some of Solr's third-party dependencies in version
7.6.0, and I wonder if you have plans to update these to unaffected
versions. I don't know if these CVEs affect Solr, but event if they
don't, IMHO it would be good to update them so that users don't need to
analyze the reports in detail.
This is what I found for solr-core Maven dependencies:
* protobuf-java-3.1.0.jar https://nvd.nist.gov/vuln/detail/CVE-2015-5237
(fixed since protobuf 3.4)
* dom4j-1.6.1.jar https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
(fixed in dom4j 2.1.1)
* hadoop-hdfs-2.7.4.jar https://nvd.nist.gov/vuln/detail/CVE-2017-15718
(fixed in hadoop 2.7.5)
What do you think?
Thanks,
Andreas
[1] https://www.owasp.org/index.php/OWASP_Dependency_Check