Hi Jan, Thanks for pointing out the update ticket. I took a dive into the code for the zlib issue. From what I can tell w/ the zlib CVE and what I found in solr code the specific header (inflateGetHeader) isn’t actually called. Based on that I don’t think this will be an issue but definitely wanted to confirm as my security team pointed that one out specifically.
Joe On 2022/11/03 11:51:41 Jan Høydahl wrote: > Will arrive in 8.11.3 and 9.1 https://issues.apache.org/jira/browse/SOLR-16421 > > Why do you believe Solr is vulnerable to lib CVE-2022-37434 ? > > Jan > > > 2. nov. 2022 kl. 21:31 skrev Joseph Gonzalez > > <[email protected]<mailto:[email protected]>>: > > > > Hello, > > > > My project security team ran a scan against a SOLR 8.11.1 Docker Image and > > found a couple vulnerabilities that they recommended I open tickets for. > > > > Apache Calcite Driver > > CVE-2022-36364 > > > > Apache Avatica Core > > CVE-2022-39135 > > > > Zlib > > CVE-2022-37434 > > > > Thanks, > > > > Joe > >
