You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2021/12/28 01:34:00 UTC

[jira] [Resolved] (SOLR-15881) Solr 8.11.1 compatibility with Spring Boot and `solr-clustering` 8.7.0

     [ https://issues.apache.org/jira/browse/SOLR-15881?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Høydahl resolved SOLR-15881.
--------------------------------
    Resolution: Invalid

{quote}1. Is the `solr-clustering:8.7.0` itself also affected by this CVE?
{quote}
CVE-2021-44548 is for DIH, not for clustering contrib. Clustering contrib for 8.7 may have its own issues, and you should check that before using it.
{quote}2. Is the `solr-clustering:8.7.0` compatible with solr components of 8.11.1 version?
{quote}
People have reporterd successful use of clustering 8.7.0 with Solr 8.11
{quote}3. Is Solr 8.11.1 itself compatible with Spring Boot 2.4.13, 2.5.8 and 2.6.2? As for now, they all come with solr 8.5.2 components.
{quote}
You'll have to ask Spring (spring-data-solr?) project about this as we don't track that on our end. Likely Spring will include a certain version of SolrJ client library. In most cases you can mix and match different client and server versions, but there have been cases where the binary protocol (JavaBin) have had issues across versions, please check that out by testing on a test cluster first. I believe from memory that 8.5 client should work with 8.11 server. 
{quote}4. In case Solr 8.11.1 is not compatible with Spring Boot, will there be a down port of the fix for this CVE?
{quote}
There will definitely not be a new 8.5 release. I'd go with 8.11.1 on server side and 8.5 on client side and test thoroughly. If you really need a patched 8.5 version you'll have to patch and build yourself.

I'm closing this Jira now. This project uses Jira as a bug tool, not as a support channel. So if you have followup questions, please use the [users@solr.apache.org|mailto:users@solr.apache.org] mailing list, see [https://solr.apache.org/community.html#mailing-lists-chat] 

> Solr 8.11.1 compatibility with Spring Boot and `solr-clustering` 8.7.0
> ----------------------------------------------------------------------
>
>                 Key: SOLR-15881
>                 URL: https://issues.apache.org/jira/browse/SOLR-15881
>             Project: Solr
>          Issue Type: Test
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Ivan Viaznikov
>            Priority: Major
>
> The CVE-2021-44548 ([https://nvd.nist.gov/vuln/detail/CVE-2021-44548)] is reported for solr components and it is said to be fixed in version 8.11.1.
> It is also reported for `solr-clustering:8.7.0`, which is the latest version. It depends on solr-core component. Several questions arise on this situation:
>  # Is the `solr-clustering:8.7.0` itself also affected by this CVE?
>  # Is the `solr-clustering:8.7.0` compatible with solr components of 8.11.1 version?
>  # Is Solr 8.11.1 itself compatible with Spring Boot 2.4.13, 2.5.8 and 2.6.2? As for now, they all come with solr 8.5.2 components.
>  # In case Solr 8.11.1 is not compatible with Spring Boot, will there be a down port of the fix for this CVE?
> Requesting you to clarify this



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org